RADIUS failing to start correctly when remote DB is unavailable.
Nick Porter
nick at portercomputing.co.uk
Thu Jan 12 12:00:18 UTC 2023
On 12/01/2023 08:54, Sea Gull wrote:
> Yes indeed. RADIUS Authentication and Accounting servers are two different
> physical machines, which are connected to each other. Then, I have 2
> instances of the SQL configuration, one that writes to a local database and
> another that writes to a remote database. The reason for this setup is that
> the remote database is handled by a different team and this cannot be
> eliminated. Now the issue is that when the remote database is for any
> reason unreachable (could be firewall, maintenance, etc..) RADIUS will no
> longer authenticate users. So what I'd like to establish is if there's a
> way for RADIUS to continue with the authentication process of users without
> having them accounted for, when the remote database is unavailable.
There are two parts to this.
To allow FreeRADIUS to start when a database is down, set the "start"
value of the connection pool for that database to 0. You will also want
to ensure that the "read_clients" option is set to "no", otherwise
FreeRADIUS will still attempt to make a connection to the database
during startup to read the clients.
If you do require the clients to be loaded from that database then life
gets more complex, and you have to look at dynamic clients to allow the
server to start without a database connection.
Secondly you need to look at your policy for authentication. If that
performs any calls to the database which is potentially unavailable, you
need to amend your policy to allow for failure to be acceptable e.g. if
that instance of the sql module is called sql-remote:
sql-remote {
fail = 1
}
if (fail) {
... policy to handle database failure
ok
}
otherwise the failure of the remote database will return a fail and
cause an Access-Reject to be sent.
Nick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20230112/c4961f5f/attachment.sig>
More information about the Freeradius-Users
mailing list