Bug #2928
closed
Authentication attempts against multiple radius servers should stop when the first reject is received.
0%
Description
The radius.inc code in pfsense treats anything that is not an radius accept as the same kind of failure. It does not differentiate between a radius reject and any other kind of failure, timeouts, configuration errors, etc. When multiple radius servers are configured it will try to authenticate against all the servers configured even if previous servers returns a reject. It's logic is 'if it's not accept, try the next server'.
I propose that the authentication hunt should stop on a reject and only proceed to the next server only when it fails to receive a determined answer back from radius. The current behavior is problematic when your radius server is doing something like two factor authentication where a user may get continued authentication requests after they reject the first request.
Also to remedy my pain the server.php that is generated for the openvpn authentication plugin script will need to know how to use this new functionality.
Updated by 
Updated by