Can I gracefully handle radius requests if all home servers are down?

work vlpl thework.vlpl at gmail.com
Sat Jun 8 14:40:27 CEST 2019


On Sat, 8 Jun 2019 at 12:50, Alan DeKok <aland at deployingradius.com> wrote:

>   Use 3.0.19.  Then, in the "post-proxy" section, add:
>
>         Post-Proxy-Type Fail {
>                 ... add fail rules here
>         }

I am using FreeRADIUS Version 3.0.20 (git #ba62e22), and from my tests
I think that the way you proposed probably will not work.
I tried to use this statement

```
update control {
    Auth-Type := Accept
}
```

in  `Post-Proxy-Type Fail-Authentication {}` or  `Post-Proxy-Type Fail
{}`. In both sections it does not work. In debug log I see that
`control:Auth-Type` attribute was updated. But it does not change
anything, proxy FreeRadius server still want to return `Access-Reject`
and go to `Post-Auth-Type REJECT` section. In `control` attributes
list I see other attribute `Post-Auth-Type` that probably has
precedence. But if I try to use configuration that update this
attribute

```
update control {
    Post-Auth-Type := Accept
}
```
FreeRadius server even don't want to start, And says

```
testing-stie[226]: Unknown or invalid value "Accept" for attribute
Post-Auth-Type
```

I believe it is because of this
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/share/dictionary.freeradius.internal#L641

So, let me ask these questions for clarification.

1. To force FreeRadius server send `Access-Accept` radius response
usually I should use this statement, isn't it?

update control {
    Auth-Type := Accept
}

2. Is `control:Auth-Type` attribute does not matter in
`Post-Proxy-Type Fail-Authentication{}`, `Post-Proxy-Type Fail {}` and
in `Post-Auth-Type REJECT` sections? And FreeRadius uses
`Post-Auth-Type` to control request processing flow?

3. I found this in documentation "Changes to Post-Auth-Type during
post-auth will have no effect."
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/configuration/post_auth_type#L10
And in debug log I see next lines

```
(1)    } # Post-Proxy-Type Fail-Authentication = noop
(1)  Login incorrect (Home Server failed to respond):
[testing_remote_attr] (from client testclient port 0)
(1)  There was no response configured: rejecting request
(1)  Using Post-Auth-Type Reject
````

I tried to set `Post-Auth-Type := Local` inside `Post-Proxy-Type Fail`
section but as documentation says
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/configuration/post_auth_type#L15
`Post-Auth-Type` is overwritten automatically and value that I set
inside `Post-Proxy-Type Fail` does not matter. Is this means that it
is impossible to control value of `Post-Auth-Type` and it will always
be set automatically?

If not, can I update `Post-Auth-Type` with `Local` or `Challenge`? I
mean I definitely can do that, I tested it. But what these values
means? How I can control packet processing flow with that attributes?
--
Vladimir


More information about the Freeradius-Users mailing list