I kinda like your caching idea, but not sure of any security implications. I have (2) FR servers (each pointing to different DC) and my NAS's are configured to use both. But, iirc if AD is down on the backend FR still replies (with something) so the NAS never rolls over to the other FR server.
So, I thought about some script that would use ntlm_auth every...n seconds, if it fails kill FR process (or use FR policy to act dead). When it starts working again, restart FR. This should make the NAS roll to the next FR server. What about OpenLDAP on the FR server that's "refreshed" / sync'd to the winblows/AD? I've never tried this but assume it's doable. ----- Original Message ----- From: John Douglass [mailto:[email protected]] Sent: Friday, March 04, 2011 11:34 AM To: FreeRadius users mailing list <[email protected]> Subject: Caching techniques with ntlm_auth usage? (EAP-PEAP-MSchapV2) Group, Recently, my AD servers were patched by another support group and this caused a (small but noticeable) service outage for our WPA radius services (Radius 2.1.9) I am curious how others who are using AD as their backends have either configured smb.conf/winbind/radius in order to do high availability for authentications. I do have configured: smb.conf password server = server1.ad.gatech.edu server2.ad.gatech.edu But that didn't seem to help with failures. What I am seeing in the logs (during outages such as these are) Mar 3 06:47:55 dvlanb radiusd[17093]: Discarding duplicate request from client My-WiSM port 32770 - ID: 95 due to unfinished request 466 Mar 3 06:47:55 dvlanb radiusd[17093]: Child PID 17274 is taking too much time: forcing failure and killing child. I am pretty certain this is from a non-responsive "ntlm_auth" call. I have searched for options to winbind and ntlm_auth that might assist in caching authentication requests so that slight hiccups like these do not disturb our users. I thought of possibly writing a custom "ntlm_auth" script that performs a cache lookup and responds correctly as ntlm_auth regularly would and if not valid cache entry, then try the real ntlm_auth command and then add a cache entry. Does someone have any suggestions on configuration changes on radius or samba that might help? from my sites-available/wpa-services file: authorize { # The preprocess module takes care of sanitizing some bizarre attributes in # the request, and turning them into attributes which are more standard. preprocess # # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP # authentication. eap { ok = return } # # Look in an SQL database. The schema of the database is meant to mirror the "users" file. sqlwpa } # Authentication. authenticate { # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # Allow EAP authentication. eap } Thanks in advance, - John Douglass, Senior Systems Architect Georgia Institute of Technology - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
