Hello,
I was looking to add support for Dynamic Authorization Messages - Change of
Authority (CoA) and Disconnect messages - to radsecproxy. RFC for this can
be found here - https://tools.ietf.org/html/rfc5176 .
Before diving headfirst, I wanted to ask if it is already on the roadmap or
if there has been a design discussion that I can read up on.
Thanks and regards,
Harshit Jain
Hi,
If you have this realm block:
realm /@.+\..+$/ {
server dynamic
server fallback.server.here
accountingResponse on
}
radsecproxy will start to send the request to fallback.server.here
because the dynamic part didn't resolve yet: it's not blocking. Only as
soon as the config for the dynamic realm is in place, when the
dynamicLookupCommand had a result, it will continue with that host.
This results in part of the conversation going via one path, part of it
via another. This breaks "the first" authentication for a realm.
Unless there is no fallback of course: or if the fallback is done in the
lookup script (else at the end, which is what I'm using now). So, while
this not being problematic for me ;-) I was wondering if someone else
stumbled upon this, and whether we can have the dynamic lookup blocking
for the request? That would allow fallback "as documented".
Regards,
Paul
