Return no answer to the client if proxied access request times out
Gianni Costanzi
gianni.costanzi at gmail.com
Fri Jan 18 12:17:54 CET 2019
Hi Alan,
Thank you for your answer. Actually we can install only from official
Redhat Enterprise repositories, due to internal policies which are quite
restrictive. Unfortunately it’s not so easy to switch vendor when you’re
working in big companies that must comply to tens of policies (due to ISOs,
PCI-DSS, GDPR), I perfectly understood what you say and I have your
attitude when working on my own systems.
BTW, where should the following code snipped be placed? In which
file/section?
Post-Proxy-Type Fail {
do_not_respond
}
Best regards,
Gianni Costanzi
Il giorno mer 16 gen 2019 alle 13:45 Alan DeKok <aland at deployingradius.com>
ha scritto:
> On Jan 16, 2019, at 3:37 AM, Gianni Costanzi <gianni.costanzi at gmail.com>
> wrote:
> > we're running Freeradius 3.0.13 (the most recent version available for
> > our production environment running RedHat Enterprise 7.5)
>
> There are updated packages on http://packages.networkradius.com
>
> You can also build your own packages.
>
> I've never understood the attitude of "we're going to run software
> that's years out of date because that's what our vendor supplies". The
> vendor is there to make *you* happy. If the software they supply is out of
> date, complain. Or switch vendors. Or build your own.
>
> > we did not configure no_response_fail parameter, so if I've understood
> > well from the docs, Freeradius should not reply to the Access-Request
> > of the client NAS if the proxied access request times out, right?
>
> That was removed a long time ago.
>
> There's another way to do it now. Instead of a config option, do:
>
> Post-Proxy-Type Fail {
> do_not_respond
> }
>
> That should fix it. It's also a more generic process. It works in more
> places, requires less C code, and is more configurable on your end.
>
> > What I see is an Access-Reject from Freeradius server after the
> > response_window expires, why?
> >
> > What am I missing?
>
> The config still showed no_response_fail, when the code was removed from
> the server a long time ago. I've updated the current configuration to
> remove the references to no_response_fail.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
--< Sent from GMail mobile >--
--------------------------------------------------------------------------------------------------------------
Find me on LinkedIn: http://it.linkedin.com/in/giannicostanzi My blog:
http://networkingpills.wordpress.com My best photos on 500px:
http://500px.com/GianniCostanzi PGP Key Fingerprint: 2404 1798 E01F F6BF
0FA3 AA07 B6D5 040F 2EDD 456A
--------------------------------------------------------------------------------------------------------------
More information about the Freeradius-Users
mailing list