Post-Proxy Fail do_not_respond not working

Peter Lambrechtsen peter at crypt.co.nz
Tue Mar 1 11:14:34 CET 2016


I found my last outstanding bug before I deploy my configuration and it's
got me stumped.

When a Proxy server is down I would like to choose between sending a reject
or not sending a response at all.

Is there a way that do_not_respond will be honored on 3.0.11 is a
post-proxy failure situation?

I've tried various ways to have either do_not_respond or
         update control {
                &Response-Packet-Type := Do-Not-Respond
        }

But there doesn't seem to be a way to disable the reject and not respond at
all when the Proxy fails.

Marking home server 222.222.222.1 port 1812 as zombie (it has not responded
in 1.000000 seconds).
(0) ERROR: Failing proxied request for user "peter", due to lack of any
response from home server 222.222.222.1 port 1812
(0) Clearing existing &reply: attributes
(0) Found Post-Proxy-Type Fail-Authentication
(0) # Executing group from file ./sites-enabled/default
(0)   Post-Proxy-Type Fail-Authentication {
(0)     policy do_not_respond {
(0)       update control {
(0)         &Response-Packet-Type := Do-Not-Respond
(0)       } # update control = noop
(0)       [handled] = handled
(0)     } # policy do_not_respond = handled
(0)   } # Post-Proxy-Type Fail-Authentication = handled
(0) There was no response configured: rejecting request
(0) Using Post-Auth-Type Reject
(0) # Executing group from file ./sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0)     if (&control:Proxy-To-Realm) {
(0)     if (&control:Proxy-To-Realm)  -> TRUE
(0)     if (&control:Proxy-To-Realm)  {
(0)       update control {
(0)         &Response-Packet-Type := Do-Not-Respond
(0)       } # update control = noop
(0)     } # if (&control:Proxy-To-Realm)  = noop
(0)   } # Post-Auth-Type REJECT = noop
(0) Sent Access-Reject Id 64 from 127.0.0.1:1812 to 127.0.0.1:40320 length 0
(0) Finished request

do_not_respond works fine for non-proxied requests, but I can't see how to
make it work for proxied requests when the proxy server fails to respond.


More information about the Freeradius-Users mailing list