Can I gracefully handle radius requests if all home servers are down?

Alan DeKok aland at deployingradius.com
Sun Jun 9 16:47:35 CEST 2019


On Jun 8, 2019, at 8:40 AM, work vlpl <thework.vlpl at gmail.com> wrote:
> 
> On Sat, 8 Jun 2019 at 12:50, Alan DeKok <aland at deployingradius.com> wrote:
> I am using FreeRADIUS Version 3.0.20 (git #ba62e22), and from my tests
> I think that the way you proposed probably will not work.

  It will work as I said.

  I don't understand the need to ask questions, and then argue with the answers.  This is rude, and it wastes everyones time.

> I tried to use this statement
> 
> ```
> update control {
>    Auth-Type := Accept
> }
> ```

  Which is information you *didn't* give in your previous message.

  If you ask the wrong question, you get the wrong answer.

  FreeRADIUS can't turn an Access-Reject reply from a home server into an Access-Accept.  If you had asked about *that* in your original message, you would have received that answer.

> in  `Post-Proxy-Type Fail-Authentication {}` or  `Post-Proxy-Type Fail
> {}`. In both sections it does not work. In debug log I see that
> `control:Auth-Type` attribute was updated. But it does not change
> anything, proxy FreeRadius server still want to return `Access-Reject`
> and go to `Post-Auth-Type REJECT` section. In `control` attributes
> list I see other attribute `Post-Auth-Type` that probably has
> precedence. But if I try to use configuration that update this
> attribute
> 
> ```
> update control {
>    Post-Auth-Type := Accept
> }
> ```
> FreeRadius server even don't want to start, And says
> 
> ```
> testing-stie[226]: Unknown or invalid value "Accept" for attribute
> Post-Auth-Type
> ```
> 
> I believe it is because of this
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/share/dictionary.freeradius.internal#L641

  It's because you're inventing things.  You can't just invent new configuration items for the server and expect them to work.


> So, let me ask these questions for clarification.
> 
> 1. To force FreeRadius server send `Access-Accept` radius response
> usually I should use this statement, isn't it?
> 
> update control {
>    Auth-Type := Accept
> }

  If it's not proxying, yes.

> 2. Is `control:Auth-Type` attribute does not matter in
> `Post-Proxy-Type Fail-Authentication{}`, `Post-Proxy-Type Fail {}` and
> in `Post-Auth-Type REJECT` sections?

  If you read the documentation and examples Auth-Type affects the *authentication* phase.  i.e. the "authenticate" section.

  Since "Post-Proxy" != "authenticate", then "Auth-Type" doesn't affect the post-proxy phase.  This should be fairly clear from the names.

> And FreeRadius uses
> `Post-Auth-Type` to control request processing flow?

  In the "post-auth" phase.

> 3. I found this in documentation "Changes to Post-Auth-Type during
> post-auth will have no effect."
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/configuration/post_auth_type#L10
> And in debug log I see next lines
> 
> ```
> (1)    } # Post-Proxy-Type Fail-Authentication = noop
> (1)  Login incorrect (Home Server failed to respond):
> [testing_remote_attr] (from client testclient port 0)
> (1)  There was no response configured: rejecting request
> (1)  Using Post-Auth-Type Reject
> ````
> 
> I tried to set `Post-Auth-Type := Local` inside `Post-Proxy-Type Fail`
> section but as documentation says
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/configuration/post_auth_type#L15
> `Post-Auth-Type` is overwritten automatically and value that I set
> inside `Post-Proxy-Type Fail` does not matter. Is this means that it
> is impossible to control value of `Post-Auth-Type` and it will always
> be set automatically?

  If the documentation says it can't be set then it can't be set.  That should also be fairly clear.

> If not, can I update `Post-Auth-Type` with `Local` or `Challenge`? I
> mean I definitely can do that, I tested it. But what these values
> means? How I can control packet processing flow with that attributes?

  The server works as documented.  If you want to do something else, either follow the documentation, or change the source code.

  Alan DeKok.





More information about the Freeradius-Users mailing list