I have two backend RADIUS servers with a front end proxy server.

All servers are running 1.1.5.

Authentication type is EAP-PEAP.

On the front end i've got a stripped down radiusd.conf just doing Realm 
detection and proxying.

And a proxy.conf

realm sussex.ac.uk {
         type = RADIUS
         authhost = radius1.uscs.susx.ac.uk:1812
         accthost = radius1.uscs.susx.ac.uk:1813
         secret = 31charhashedsecret
         ldflag = round_robin
realm sussex.ac.uk {
         type = RADIUS
         authhost = radius2.uscs.susx.ac.uk:1812
         accthost = radius2.uscs.susx.ac.uk:1813
         secret = 31charhashedsecret
         ldflag = round_robin

Whats happening if the first round of authentication will go to 

Second will go to radius2.uscs.susx.ac.uk, but the second doesn't know 
about the previous request and bails out with.

modcall: entering group authenticate for request 0
rlm_eap: Request not found in the list
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown 

So firstly is EAP proxying actually possible ?

Secondly is there something really stupid i've missed ?

There are two ways I can see this working, either the proxy server 
directs all the authentication rounds for one session to one proxy 
server. Or the eap module on either backend instance figures out what 
the previous part of the conversation was.

Also I noticed this entry in eap.conf

                 #  A list is maintained to correlate EAP-Response
                 #  packets with EAP-Request packets.  After a
                 #  configurable length of time, entries in the list
                 #  expire, and are deleted.
                 timer_expire     = 60

Anyone know where this list actually exists ?
If it's just in memory or an actual file ?

Arran Cudbard-Bell
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication Authorisation & Accounting Officer
Infrastructure Services | ENG1 FF08
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to