leopold wrote: > Thank you very much Alan for your reply. > Let me please clarify the requirements. > EAP-TLS: > - perform the needed SSL handshake, there are 11 messages exchanged and I do > not want to query SQL each time and it degrades performance.
You already said that. > - find the user/machine in SQL, compare check attributes and respond with > reply attributes based on SQL data. You already said that. > If SQL is down or some other SQL > connection failure then DO NOT RESPOND. You already said that. I already said that this pointless. If SQL is down, why the heck are you doing 10-11 EAP packets? It makes no sense. > If user/machine is not found in SQL DB or check attributes do not match > reject, otherwise accept. That's how the server works. > Your suggestion with sql.authorize in post-auth section "almost" works, the > only problem is we need not to respond when SQL is down. Did you bother to read the REST of my message, saying how you could accomplish this? > Because otherwise > RADIUS might respond with Access-Accept and won't send the needed reply > attributes when SQL is unavailable. > Could you please change the code if there is not other neat way around to > still use "do_not_respond" policy in post-auth section? No. > Maybe in event.c you could check if control is set not to respond and then > drop the packet? No. Read my previous message again. There is a way to do this without modifying the server code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
