Let FreeRADIUS ignore a request from rlm_perl
Sander Eerdekens
sander.eerdekens at uzleuven.be
Wed Sep 9 10:28:18 CEST 2015
> > > I'm using FreeRADIUS Version 2.2.8 and am wondering whether it is
> > possible
> > > to ignore a request (i.e. send no reply at all) inside a rlm_perl module.
> Let me explain why I believe dropping packets is a valid use case.
>
> I'm implementing OTPs using SMS. I currently have two servers at two
> separate locations. Some of my RADIUS clients directly send an access
> request to both servers, instead of considering the primary server first
> and when no reply is received, considering the second. Because the servers
> don't synchronize state, in this particular case, the client would receive
> two SMS messages containing different OTPs.
>
> Therefore, I would like the secondary server to ignore the access request
> by dropping the access request.
We use dropping packets for another scenario.
We use FreeRADIUS for aaa for cisco switches (logging into SSH on them) instead of TacACS.
The radius server authenticates against an LDAP server.
Howerver, if LDAP is down, we still want to be able to login to the switches with a predefined admin password.
The way cisco implemented this is, "if the radius server does not respond, us the local password".
Thus, if the ldap module fails (not rejects), we want to ignore the packet instead of sending an access-reject.
To achieve a "drop packet" you could use this configuration:
Return RLM_MODULE_FAIL inside perl,
And use this configuration inside the sites-enabled:
redundant {
perl
do_not_respond
}
You can find do_not_respond in the policy.conf file.
do_not_respond {
update control {
Response-Packet-Type := Do-Not-Respond
}
handled
}
However, you cannot do it directly from your perl module, you have to have some config in your sites-enabled to check and discard the packet.
Kind regards
Sander Eerdekens
More information about the Freeradius-Users
mailing list