Let FreeRADIUS ignore a request from rlm_perl

Harm van Tilborg harm at zeroxcool.net
Wed Sep 9 08:55:11 CEST 2015


On Tue, Sep 8, 2015 at 1:59 PM, Herwin Weststrate <herwin at quarantainenet.nl>
wrote:

> On 08-09-15 13:34, Harm van Tilborg wrote:
> > Hey there,
> >
> > I'm using FreeRADIUS Version 2.2.8 and am wondering whether it is
> possible
> > to ignore a request (i.e. send no reply at all) inside a rlm_perl module.
> >
> > I tried returning either RLM_MODULE_NOOP, RLM_MODULE_INVALID,
> > RLM_MODULE_FAIL, and RLM_MODULE_HANDLED (without setting any reply
> > attributes) inside an authenticate function. Although, in the end, they
> all
> > result in the server rejecting the request, which is not what I want.
>
> Those are just the return values of the module.
>
> As to discarding packets: see the discussion at
>
> http://freeradius.1045715.n5.nabble.com/silently-drop-packet-access-request-td2747858.html
>
> --
> Herwin Weststrate
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


​Let me explain why I believe dropping packets is a valid use case​.

I'm implementing OTPs using SMS. I currently have two servers at two
separate locations. Some of my RADIUS clients directly send an access
request to both servers, instead of considering the primary server first
and when no reply is received, considering the second. Because the servers
don't synchronize state, in this particular case, the client would receive
two SMS messages containing different OTPs.

Therefore, I would like the secondary server to ignore the access request
by dropping the access request.

​-- Harm​


More information about the Freeradius-Users mailing list