Can I gracefully handle radius requests if all home servers are down?
work vlpl
thework.vlpl at gmail.com
Sat Jun 8 14:40:27 CEST 2019
On Sat, 8 Jun 2019 at 12:50, Alan DeKok <aland at deployingradius.com> wrote:
> Use 3.0.19. Then, in the "post-proxy" section, add:
>
> Post-Proxy-Type Fail {
> ... add fail rules here
> }
I am using FreeRADIUS Version 3.0.20 (git #ba62e22), and from my tests
I think that the way you proposed probably will not work.
I tried to use this statement
```
update control {
Auth-Type := Accept
}
```
in `Post-Proxy-Type Fail-Authentication {}` or `Post-Proxy-Type Fail
{}`. In both sections it does not work. In debug log I see that
`control:Auth-Type` attribute was updated. But it does not change
anything, proxy FreeRadius server still want to return `Access-Reject`
and go to `Post-Auth-Type REJECT` section. In `control` attributes
list I see other attribute `Post-Auth-Type` that probably has
precedence. But if I try to use configuration that update this
attribute
```
update control {
Post-Auth-Type := Accept
}
```
FreeRadius server even don't want to start, And says
```
testing-stie[226]: Unknown or invalid value "Accept" for attribute
Post-Auth-Type
```
I believe it is because of this
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/share/dictionary.freeradius.internal#L641
So, let me ask these questions for clarification.
1. To force FreeRadius server send `Access-Accept` radius response
usually I should use this statement, isn't it?
update control {
Auth-Type := Accept
}
2. Is `control:Auth-Type` attribute does not matter in
`Post-Proxy-Type Fail-Authentication{}`, `Post-Proxy-Type Fail {}` and
in `Post-Auth-Type REJECT` sections? And FreeRadius uses
`Post-Auth-Type` to control request processing flow?
3. I found this in documentation "Changes to Post-Auth-Type during
post-auth will have no effect."
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/configuration/post_auth_type#L10
And in debug log I see next lines
```
(1) } # Post-Proxy-Type Fail-Authentication = noop
(1) Login incorrect (Home Server failed to respond):
[testing_remote_attr] (from client testclient port 0)
(1) There was no response configured: rejecting request
(1) Using Post-Auth-Type Reject
````
I tried to set `Post-Auth-Type := Local` inside `Post-Proxy-Type Fail`
section but as documentation says
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/configuration/post_auth_type#L15
`Post-Auth-Type` is overwritten automatically and value that I set
inside `Post-Proxy-Type Fail` does not matter. Is this means that it
is impossible to control value of `Post-Auth-Type` and it will always
be set automatically?
If not, can I update `Post-Auth-Type` with `Local` or `Challenge`? I
mean I definitely can do that, I tested it. But what these values
means? How I can control packet processing flow with that attributes?
--
Vladimir
More information about the Freeradius-Users
mailing list