On 7 Oct 2013, at 11:31, [email protected] wrote:
> Hi,
>
>> Well you want the probes to go through and hit your backed authentication
>> servers,
>> and your databases, and any external resource.
>
> ..and get a valid user with access accept? bad. you are better off just
> semding a reject -
> just like RADIUS status server probes. it would be nice if the WISM would do
> proper
> RADIUS status-server probe instead....but since cisco want you to buy ACS/ISE
> and that doesnt
> do nice things - then I guess we can live in hope
No. You want a policy in post-auth which checks what happened when the test
user's
authentication was processed.
Everything ok:
Access-Reject
Somethings wrong:
Don't respond
And you want to make sure that you have ACLs in place to only allow access to
the RADIUS
test user object from the RADIUS test server (obviously :) ).
In regards to upstream proxy servers, i'll echo Alan D's thoughts on this, and
say that
it's really the responsibility of a AAA routing protocol.
Though yes, for eduroam checking next hop connectivity is probably useful.
Maybe an xlat
method which returns the state of a realm?
-Arran
Arran Cudbard-Bell <[email protected]>
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
