Arran Cudbard-Bell wrote: > Whats happening if the first round of authentication will go to > radius1.uscs.susx.ac.uk > > Second will go to radius2.uscs.susx.ac.uk, but the second doesn't know > about the previous request and bails out with.
Round robin && EAP don't work together very well. > So firstly is EAP proxying actually possible ? Yes. Many people are using it. Round-robin, on the other hand, isn't currently possible. It would require additional code in the server. It's not hard, but it hasn't been done yet. > Secondly is there something really stupid i've missed ? Nope. > There are two ways I can see this working, either the proxy server > directs all the authentication rounds for one session to one proxy > server. Or the eap module on either backend instance figures out what > the previous part of the conversation was. If it's proxying, the EAP module isn't being used. > Also I noticed this entry in eap.conf > > # A list is maintained to correlate EAP-Response > # packets with EAP-Request packets. After a > # configurable length of time, entries in the list > # expire, and are deleted. > # > timer_expire = 60 > > Anyone know where this list actually exists ? > If it's just in memory or an actual file ? It's in the EAP module. And it's only used when the server is doing the EAP authentication. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html