I guess in describing the problem, I answered it myself - how often that happens.
I now call the rad_check_password method from rlm_sql's authorize, and now configurable failover works on an expired account; something the freeRADIUS maintainers might want to consider. Cheers, Daniel -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roy, Daniel Sent: Tuesday, July 13, 2004 4:08 PM To: [EMAIL PROTECTED] Subject: Can't seem to use configurable failover for an expired account Hi all, This is a rather detailed question, since it relates to the source code of freeRADIUS, but I'm trolling to see if anyone has come across this or what a freeRADIUS expert might suggest as a solution. Configurable failover in working for me in the authorize section. Also, I've built an authenticate section in rlm_files so that now configurable failover is working in the authenticate section (for MS-CHAP in my case). In both cases I'm proxying to another realm as the failover. Now my problem: Somewhere between authorize and MS-CHAP authenticate, I need to configure failover if an account is expired, since account expiration doesn't seem to be part of the authorize section. Code details: In src/main/auth.c:rad_authenticate, it loops over the registered and configured modules with an authorize section, then it checks to see if it needs to proxy, then it performs the authentication. Authentication starts by checking the account expiration followed by checking the password, and so on. Checking the password (rad_check_password) includes calling the appropriate module_authenticate. So checking account expiration is stuck in a "no mans land" between authorization and authentication. Is there a way for me to include expiration as a rejection of authentication in configurable failover or do I need to hack the source code ? Around line 550 of src/main/auth.c in rad_authenticate: /* * Validate the user */ do { if ((result = check_expiration(request)) < 0) break; ... Around line 710 of src/main/auth.c in rad_authenticate: /* * Result should be >= 0 here - if not, we return. */ if (result < 0) { return RLM_MODULE_OK; } Note: check_expiration returns -1 if the account has expired. Thanks in advance, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html