So (and I'm reading in between the lines here), it seems as if you already
have two servers, A and B, configured using some sort of clustering so
that if A fails, B picks up A's address virtually, and vice-versa.
If so, then I think you're making the problem harder than it is.
Typically, most software that does RADIUS will accept a primary and a
backup, and is within the client's control which server they decide to
talk to. (i.e. you might be making a problem when in fact none really
exists!) I would pose that question to your telco; chances are it will
automatically fail over to the backup if the primary is unavailable.
Additionally, most layer 7 load balancers also have a provision for
determining if the end node is not available and automatically routing
traffic to the other available node(s). I would also query your telco on
this possibility.
(In other words, the way I see it, you shouldn't need to any of this
virtual IP jazz, because it should already be accounted for in the radius
clients themselves!)
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
"So for the IT Manager Role, you want someone who's absolute crap, looks
reasonable on paper, and won't cause too much trouble. ... Well I don't
have any MCSEs on my books at the moment, but I could call around." --
Simon Travaglia
"Paul Jenner" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
02/07/2003 10:33 AM
Please respond to freeradius-users
To: <[EMAIL PROTECTED]>
cc:
Subject: RE: RADIUS response from incorrect interface
Hi all.
Thanks for so many replies so quickly. I totally take on board the
comments about UDP responses on the same IP not being trivial and
probably not being worth it to implement.
However its worth pointing out for the record why its useful here.
The situation here is that the RADIUS requests come from load-balanced
upstream telco proxies who require two IPs for the RADIUS servers for
both resilience and load-balancing. Normally these would be serviced by
two physical servers with two real IPs but, when one server is not
available, the other can take over by taking the IP as a virtual
interface.
There are a lot of arguments about whether this is a sensible thing to
do etc. however this is what I am trying to implement (and it works for
UDP DNS requests with ISC bind).
Thanks for all the help on this - I think for now I'll look for a
solution outside of the RADIUS software (translation on firewalls etc.
most likely) as this appears the correct place to do this kind of thing,
Paul
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
