reject_errors
Control whether pipeline errors result in request rejection
reject_errors
The reject_errors action controls how Radiator handles pipeline errors. By default, when a pipeline error occurs on a RADIUS or TACACS+ request, the request is silently ignored (no response sent). When reject_errors on; is configured, errors cause the request to be rejected instead.
This behavior is chosen because RADIUS and TACACS+ do not have a standard way to communicate internal errors back to clients. For example RADIUS proxies use timeouts to detect broken servers, so sending an Access-Reject in case of internal errors may lead to unexpected behavior.
Syntax
reject_errors on;
reject_errors off;
Parameters
| Value | Description |
|---|---|
on | Pipeline errors cause the request to be rejected (Access-Reject) |
off | Pipeline errors cause the request to be ignored (no response sent) |
Error Information
When errors occur, they are captured in the aaa.errors variable, which can be accessed in final-* pipeline stages for logging or debugging purposes.
Examples
Reject on any pipeline error
Enable rejection for errors to ensure clients receive a response:
aaa {
policy "DEFAULT" {
handler "AUTHENTICATION" {
authentication {
reject_errors on;
backend {
name "USERS";
query "FIND_USER";
}
pap;
}
final-authentication {
log "AUTHENTICATION" {
json {
"username" "%{aaa.identity}";
"result" "%{aaa.result}";
"errors" "%{aaa.errors}";
}
}
}
}
}
}
Use with try-catch for graceful error handling
For more granular error handling, use the try action instead:
authentication {
try {
backend {
name "PRIMARY_DB";
query "AUTH";
}
} catch {
reject "backend failure: %{aaa.caught_error}";
}
}