> Alan DeKok wrote:
> > "Thor Spruyt" <[EMAIL PROTECTED]> wrote:
> >> It's a pitty, but radrelay can't be used for proxied packets.
> >> Reason is that if the packets are relayed to the backup server, the
> >> backup doesn't know it has already been proxied and will thus proxy
> >> it again. The homeserver should only receive the packet once of
> >> course!
> >
> > Can you suggest a fix?
>
> Well... I've given it some thinking and guess what...
>
> Suppose you have a realm with 2 homeservers for redundancy:
> realm NULL {
> type = radius
> authhost = 10.10.10.10:1812
> accthost = 10.10.10.10:1813
> secret = testing123
> }
> realm NULL {
> type = radius
> authhost = 20.20.20.20:1812
> accthost = 20.20.20.20:1813
> secret = testing123
> }
>
> Suppose the primary server receives an acct packets, and proxies it to
> 20.20.20.20:1813
> Then Freeradius-Proxied-To = 20.20.20.20 will be added in the detail file
> and relayed to the backup server.
> Then the backup server will compare 20.20.20.20 with 10.10.10.10 and will
> again proxy the packet to the homeserver (10.10.10.10).
>
> Suggested solution 1: let the primary server add multiple
> Freeradius-Proxied-To attributes (one for each server configured for that
> realm)
> Suggested solution 2: let the backup server check the Freeradius-Proxied-To
> attribute against all servers configured for that realm
> Suggested solution 3: add a Freeradius-Proxied-Realm attribute, which the
> backup server could check against
>
> --
> Regards,
>
> Thor Spruyt
What if you just set it up so that it only proxied the auth to the home
server and stored the accounting locally? Then you use radrelay to send
all accounting packets over?
realm NULL {
type = radius
authhost = 20.20.20.20:1812
accthost = LOCAL
secret = testing123
}
That could work, couldn't it?
-Dusty Doris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
