Authentication Source Order

clay at milos.co.za clay at milos.co.za
Tue Oct 26 10:04:59 CEST 2021 

Hi guys

I am trying to do something that seems a bit odd as I can't find it in 
any searches. Perhaps someone else here has done this before.
I have FreeRadius successfully connected and working, serving 
authentication requests from a Mysql DB. It's running on a pfSense 
firewall and configured via the GUI but I doubt that makes any 
difference.
I'm authenticating users connecting via a secure network to reach 
services and would like to change the authentication logic. If the MySQL 
server is down (yes I know it shouldn't be or I should have redundant 
servers) I would like the Radius server to always return an 
Access-Accept.
I know this seems counter-intuitive for an authentication service but as 
I said it's via a secure network allowing users supplementary services 
that are better to give for free for a limited time than not to give at 
all in case of a backend outage.
My thoughts on doing this were trying to authenticate via SQL first and 
then falling back to "users" file authentication with a RegExp or 
DEFAULT user to match a user pattern all users. Is this a good way to do 
it? From what I've seen, FreeRadius tries to use the users file before 
trying SQL by default but I changed the sites-enabled/default ordering 
and that seems to work for (notfound || noop) but not for ( fail ). If I 
use SQL and then (notfound || noop) then "file" and the user exists in 
the "users" file it works. DEFAULT user works as well for any user.
Where I'm going wrong, I think is that in the sites-enabled/default it 
accepts the "fail" as a module response code but doesn't act on it when 
the sql1 fails. I've attached the debug log.
         redundant sql {
                 sql1
         }
         if ( fail ) {
                         files
                         if (notfound || noop) {
                                 reject
                         }
                 }
         }

Thanks in advance!
\\Clay
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radiusd-x.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20211026/972afab4/attachment-0001.txt>

More information about the Freeradius-Users mailing list