Authentication Source Order

clay at clay at
Tue Oct 26 10:04:59 CEST 2021

Hi guys

I am trying to do something that seems a bit odd as I can't find it in 
any searches. Perhaps someone else here has done this before.
I have FreeRadius successfully connected and working, serving 
authentication requests from a Mysql DB. It's running on a pfSense 
firewall and configured via the GUI but I doubt that makes any 
I'm authenticating users connecting via a secure network to reach 
services and would like to change the authentication logic. If the MySQL 
server is down (yes I know it shouldn't be or I should have redundant 
servers) I would like the Radius server to always return an 
I know this seems counter-intuitive for an authentication service but as 
I said it's via a secure network allowing users supplementary services 
that are better to give for free for a limited time than not to give at 
all in case of a backend outage.
My thoughts on doing this were trying to authenticate via SQL first and 
then falling back to "users" file authentication with a RegExp or 
DEFAULT user to match a user pattern all users. Is this a good way to do 
it? From what I've seen, FreeRadius tries to use the users file before 
trying SQL by default but I changed the sites-enabled/default ordering 
and that seems to work for (notfound || noop) but not for ( fail ). If I 
use SQL and then (notfound || noop) then "file" and the user exists in 
the "users" file it works. DEFAULT user works as well for any user.
Where I'm going wrong, I think is that in the sites-enabled/default it 
accepts the "fail" as a module response code but doesn't act on it when 
the sql1 fails. I've attached the debug log.
         redundant sql {
         if ( fail ) {
                         if (notfound || noop) {

Thanks in advance!
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radiusd-x.txt
URL: <>

More information about the Freeradius-Users mailing list