Hi Andrew,
On Jan 26, 8:36pm, Andrew Pollock wrote:
> Subject: RE: (RADIATOR) Rejecting rather than Ignoring requests
> > -----Original Message-----
> > From: Mike McCauley [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, 27 January 2000 12:27 PM
> > To: Andrew Pollock; [EMAIL PROTECTED]
> > Subject: Re: (RADIATOR) Rejecting rather than Ignoring requests
> >
> >
> > Hi Andrew,
>
> Hi Mike,
>
> > You can catch the case where its a realm the central server does
> > not know about
> > by adding a
> >
> > <Realm DEFAULT>
> > </Realm>
> >
> > to your config, which will reject any requests from realms not otherwise
> > handled.
> >
> > AS for rejecting if the certral server does not reply (due connectivity
> > problems) Im not sure that changing the behaviour will gain you
> > anything? From
> > the users point of view it would be the same: a delay, followed by
> > disconnection.
>
> Well actually, the NAS will fail over (unnecessarily, as far as I'm
> concerned) to the secondary RADIUS server, which (for redundancy reasons) is
> outside the hierarchy I described previously. Our NAS equipment (and I
> believe a few other vendors') don't readily swap back over to the primary
> RADIUS server again in a hurry, and it isn't acceptable to have
> authentication outside the roaming hierarchy for extended periods of time,
> hence my problem.
Yes, if the NAS fails over to another server, then I see your problem.
>
> > In any case, there is no way (without changing the code) to send
> > a reject if
> > the retransmits to the central server time out.
>
> Hmm, I don't particularly want to have to do that, but can you point me in
> the right direction? What is the intended purpose of multiple AuthBy's in a
> Handler? The documentation suggests that it does what I want it do do.
At the end of AuthRADIUS.pm, function forwardToNextHost handles timeouts after
n retranmissions. The else clause at the end of that function handles the case
whern there are no more hosts to send to, and it currently just moans and drops
the packet. At the end of that function, you could (depending on a
configuration file option option) decide to construct and send back a rejection
instead.
If you sent the resulting code to use, we would consider rolling it into the
base code, especially if others show some interest in it.
Hope that helps.
Cheers.
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
