RADIUS failing to start correctly when remote DB is unavailable.

Nick Porter nick at portercomputing.co.uk
Thu Jan 12 12:00:18 UTC 2023 

On 12/01/2023 08:54, Sea Gull wrote:
> Yes indeed. RADIUS Authentication and Accounting servers are two different
> physical machines, which are connected to each other. Then, I have 2
> instances of the SQL configuration, one that writes to a local database and
> another that writes to a remote database. The reason for this setup is that
> the remote database is handled by a different team and this cannot be
> eliminated. Now the issue is that when the remote database is for any
> reason unreachable (could be firewall, maintenance, etc..) RADIUS will no
> longer authenticate users. So what I'd like to establish is if there's a
> way for RADIUS to continue with the authentication process of users without
> having them accounted for, when the remote database is unavailable.

There are two parts to this.

To allow FreeRADIUS to start when a database is down, set the "start" 
value of the connection pool for that database to 0.  You will also want 
to ensure that the "read_clients" option is set to "no", otherwise 
FreeRADIUS will still attempt to make a connection to the database 
during startup to read the clients.

If you do require the clients to be loaded from that database then life 
gets more complex, and you have to look at dynamic clients to allow the 
server to start without a database connection.


Secondly you need to look at your policy for authentication.  If that 
performs any calls to the database which is potentially unavailable, you 
need to amend your policy to allow for failure to be acceptable e.g. if 
that instance of the sql module is called sql-remote:

sql-remote {
     fail = 1
}

if (fail) {
     ... policy to handle database failure
     ok
}

otherwise the failure of the remote database will return a fail and 
cause an Access-Reject to be sent.

Nick


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20230112/c4961f5f/attachment.sig>

More information about the Freeradius-Users mailing list