Let FreeRADIUS ignore a request from rlm_perl

Harm van Tilborg harm at zeroxcool.net
Wed Sep 9 11:21:24 CEST 2015 

On Wed, Sep 9, 2015 at 10:28 AM, Sander Eerdekens <
sander.eerdekens at uzleuven.be> wrote:

> > > > I'm using FreeRADIUS Version 2.2.8 and am wondering whether it is
> > > possible
> > > > to ignore a request (i.e. send no reply at all) inside a rlm_perl
> module.
>
>
> > ​Let me explain why I believe dropping packets is a valid use case​.
> >
> > I'm implementing OTPs using SMS. I currently have two servers at two
> > separate locations. Some of my RADIUS clients directly send an access
> > request to both servers, instead of considering the primary server first
> > and when no reply is received, considering the second. Because the
> servers
> > don't synchronize state, in this particular case, the client would
> receive
> > two SMS messages containing different OTPs.
> >
> > Therefore, I would like the secondary server to ignore the access request
> > by dropping the access request.
>
> We use dropping packets for another scenario.
> We use FreeRADIUS for aaa for cisco switches (logging into SSH on them)
> instead of TacACS.
> The radius server authenticates against an LDAP server.
>
> Howerver, if LDAP is down, we still want to be able to login to the
> switches with a predefined admin password.
> The way cisco implemented this is, "if the radius server does not respond,
> us the local password".
> Thus, if the ldap module fails (not rejects), we want to ignore the packet
> instead of sending an access-reject.
>
> To achieve a "drop packet" you could use this configuration:
> Return RLM_MODULE_FAIL inside perl,
> And use this configuration inside the sites-enabled:
>
> redundant {
>         perl
>         do_not_respond
>  }
>
> You can find do_not_respond in the policy.conf file.
> do_not_respond {
>                 update control {
>                         Response-Packet-Type := Do-Not-Respond
>                 }
>
>                 handled
>         }
>
> However, you cannot do it directly from your perl module, you have to have
> some config in your sites-enabled to check and discard the packet.
>
> Kind regards
> Sander Eerdekens
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

​Thanks Sander!

This put me on the right track. As a matter of fact, you can specify the
response packet type directly in rlm_perl, by doing:

    $RAD_CHECK{'Response-Packet-Type'} = 'Do-Not-Respond';
    return RLM_MODULE_HANDLED;

This way, no configuration change is needed in the site configuration.

-- Harm​

More information about the Freeradius-Users mailing list