Home server failure messages

FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) andy.franks1 at nhs.net
Fri Nov 22 21:35:31 CET 2019


Hi Alan,
  Hopefully I've understood - I did try the status_check = "status-server" option in the tls (radsec) virtual server, but it seems it is not permitted:

Only 'status_check = none' is allowed for home servers with 'proto = tcp'

Radsecproxy, which I toyed about with for a while, seemed to allow status checks and when used in between freeradius servers (iirc) did respond to the request with no issues via radsec..
Maybe there's something I'm missing, wouldn't be the first time :-)

Thanks
Andy
________________________________________
From: Freeradius-Users <freeradius-users-bounces+andy.franks1=nhs.net at lists.freeradius.org> on behalf of Alan Buxey <alan.buxey at gmail.com>
Sent: 22 November 2019 19:57
To: FreeRadius users mailing list
Subject: Re: Home server failure messages

Hi

If using RADSEC why not use the status-server check (low level check not a
user/pass check - though a false user etc will give a reject which means
the server is okay)... Or maybe the server is fine and the issue is
elsewhere (talking to a proxy that might have problems upstream?)

Correctly configured the server should fail over to the next available home
server (and with RADSEC only use the failed one when it's been checked and
responding again)

alan


On Wed, 20 Nov 2019, 16:17 FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL
NHS TRUST) via Freeradius-Users, <freeradius-users at lists.freeradius.org>
wrote:

> Hi all,
>
> Freeradius 3.0.20-1.
>
>   Is there a way I can pick up (and report) failures for connections to
> home servers?
> I can't think of a way, but normally I'd check the Module-Failure-Message
> attribute; is there anything similar I can use for proxying as that isn't
> set here (not a module I guess!)
>
> Sorry if it's really obvious and documented somewhere, but I can't see
> anything that would get set, having checked proxy.conf, tls, pre-proxy,
> post-proxy bits.
>
> I can't use status-server just to check before clients connect, because of
> using Radsec (it's the future?!), so some requests are returned as rejects.
> It's good to know when/how often this sort of stuff happens given that
> some of the servers are external, nothing to do with us (Govroam).
> Thanks
> Andy
>
>
>
>
>
> ********************************************************************************************************************
>
> This message may contain confidential information. If you are not the
> intended recipient please inform the
> sender that you have received the message in error before deleting it.
> Please do not disclose, copy or distribute information in this e-mail or
> take any action in relation to its contents. To do so is strictly
> prohibited and may be unlawful. Thank you for your co-operation.
>
> NHSmail is the secure email and directory service available for all NHS
> staff in England and Scotland. NHSmail is approved for exchanging patient
> data and other sensitive information with NHSmail and other accredited
> email services.
>
> For more information and to find out how you can switch,
> https://portal.nhs.net/help/joiningnhsmail
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail




More information about the Freeradius-Users mailing list