FreeRadius Proxy fallback to virtual server

grantd1987 · 09-05-2017, 03:14 PM

Hey Everyone,
I have a FreeRadius proxy to proxy radius requests from pam_radius for SSH to an Azure MFA radius box. Everything works fine when the Azure MFA server is working, but when it stops working, no one can log in due to radius failures. I was wondering if anyone knew how to set up the fallback part of a home_server_pool to a virtual server that just responds "Accept". I know this is bad practice, but since the servers are still doing AD Auth through Winbind, I don't feel it is a big issue since the Azure MFA is malfunctioning anyways and loosing access is a bigger issue.

This is my current config in the proxy.conf file:

Code:

home_server MFA1 {
        type = auth
        ipaddr = 192.168.1.101
        port = 1812
        proto = udp
        secret = shared-secret1234
        response_window = 60
        response_timeouts = 5
        zombie_period = 60
        revive_interval = 120
        status_check = request
        username = "this_is_a_fake_user"
        password = "this_is_not_real"
        check_interval = 30
        check_timeout = 4
        num_answers_to_alive = 3
        max_outstanding = 65536
		
		#
        #  If ALL home servers are dead, then this "fallback" home server
        #  is used.  If set, it takes precedence over any realm-based
        #  fallback, such as the DEFAULT realm.
        #
        #  For reasons of stability, this home server SHOULD be a virtual
        #  server.  Otherwise, the fallback may itself be dead!
        #
        #fallback = virtual.example.com
}

home_server MFA2 {
        type = auth
        ipaddr = 192.168.1.102
        port = 1812
        proto = udp
        secret = shared-secret1234
        response_window = 60
        response_timeouts = 5
        zombie_period = 60
        revive_interval = 120
        status_check = request
        username = "this_is_a_fake_user"
        password = "this_is_not_real"
        check_interval = 30
        check_timeout = 4
        num_answers_to_alive = 3
        max_outstanding = 65536
		
		#
        #  If ALL home servers are dead, then this "fallback" home server
        #  is used.  If set, it takes precedence over any realm-based
        #  fallback, such as the DEFAULT realm.
        #
        #  For reasons of stability, this home server SHOULD be a virtual
        #  server.  Otherwise, the fallback may itself be dead!
        #
        #fallback = virtual.example.com
}

home_server_pool MFA {
        type = load-balance
        home_server = MFA1
        home_server = MFA2
}

realm DEFAULT {
        auth_pool       = MFA
        nostrip
}