Arran Cudbard-Bell wrote:

> Whats happening if the first round of authentication will go to 
> radius1.uscs.susx.ac.uk
> 
> Second will go to radius2.uscs.susx.ac.uk, but the second doesn't know 
> about the previous request and bails out with.

  Round robin && EAP don't work together very well.

> So firstly is EAP proxying actually possible ?

  Yes.  Many people are using it.  Round-robin, on the other hand, isn't
currently possible.  It would require additional code in the server.

  It's not hard, but it hasn't been done yet.

> Secondly is there something really stupid i've missed ?

  Nope.

> There are two ways I can see this working, either the proxy server 
> directs all the authentication rounds for one session to one proxy 
> server. Or the eap module on either backend instance figures out what 
> the previous part of the conversation was.

  If it's proxying, the EAP module isn't being used.

> Also I noticed this entry in eap.conf
> 
>                  #  A list is maintained to correlate EAP-Response
>                  #  packets with EAP-Request packets.  After a
>                  #  configurable length of time, entries in the list
>                  #  expire, and are deleted.
>                  #
>                  timer_expire     = 60
> 
> Anyone know where this list actually exists ?
> If it's just in memory or an actual file ?

  It's in the EAP module.  And it's only used when the server is doing
the EAP authentication.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to