RADIUS authentication is retried at secondary server even if first server returned Auth Failure

[restena-sw]

We have configured two RADIUS servers for failover. Recently, I noticed that failed authentications from the primary are immediately re-asked at the secondary server (which still generates and Auth failure, so the end result is consistent and no harm done).

But there's really no point in asking the failover server if the primary is sure that the auth failed.

Looking at the code, I found a logic error here:

simplesamlphp-module-radius/src/Auth/Source/Radius.php

Line 167 in 27d7591

if ($response !== false) {

The code considers the RADIUS query successful only if it returns not-false.

The underlying library returns sth not-false only in case the authentication succeeded. Notably, a failed authentication is as "false" as a protocol error. See the return paths of its function: they are either outright "false" or compare whether the authentication was a success:

https://github.com/dapphp/radius/blob/master/src/Radius.php#L1752

I.e. error conditions and a negative outcome both have the same result; and the calling module in SSP will loop over all configured servers in both cases. Only a positive result breaks out of the loop.

Ideally, a confirmed negative result from the primary authentication server should be taken as-is.

[tvdijen]

The only solution I see is to get the error code too and then change the if statement to:

$errorCode = $response->getErrorCode();
if ($response !== false || $errorCode === 3) {
   break;
}

We should check if other error codes also justify an early break out

[restena-sw]

Yes, using the library's public get method $radius->getErrorCode().

The error code is actually the first byte of the RADIUS response, i.e. the RADIUS Packet Code. It should be sufficient to consider 3, i.e. Access-Reject.