On Wed, 5 Oct 2011, Arran Cudbard-Bell wrote:
On 5 Oct 2011, at 02:20, Mike Diggins wrote:I'm running FreeRadius 2.1.3 on RedHat Enterprise Linux configured as an Eduroam Radius proxy server. My Cisco Wireless Lan Controllers are constantly failing over the Accounting Servers, due to lack of response from the Home Servers, or so says the log. However, I believe the issue is that some remote institutions Radius Servers are ignoring the Accounting packets, and timing out my end, making it believe the Home Servers have failed to respond. FreeRadius responds by marking the Home server dead. It then sends a status-server query, to which is gets a reply, and enables the Dead Home server. I believe that's the sequence of events anyway. I captured some of that in debug mode: Rejecting request 288 due to lack of any response from home server x.x.x.x port 1813 Finished request 288. Cleaning up request 288 ID 205 with timestamp +1161 PROXY: Marking home server x.x.x.x port 1813 as zombie (it looks like it is dead). Sending Status-Server of id 55 to x.x.x.x port 1813 Message-Authenticator := 0x00000000000000000000000000000000 NAS-Identifier := "Status Check. Are you alive?" Waking up in 3.9 seconds. rad_recv: Access-Accept packet from host x.x.x.x port 1813, id=55, length=806 I don't have any control over Accounting Packets being accepted, or not, by other Eduroam members. Some do, some don't I imagine. Is there a configuration for FreeRadius that handles this situation cleanly? Seems to me that FR should check the Home server first, before marking it dead (at least).No i've talked about this with Alan. The proposed solution is an enhancement to the detail writer/reader functionality where the server automagically spawns new reader instances to listen on per domain detail files. For now i'd recommend using rlm_replicate, this allows you to send an entirely new request to the homeserver, whilst sending an Accounting-Response to the NAS. FR does not track the new request and so won't be able to retransmit. Just use something like: preacct { if(Realm && Realm != 'local'){ update control { Proxy-To-Realm := 'local' Replicate-To-Realm = 'eduroam' } } } accounting { replicate }
Thanks for your suggestion. Do I drop this into my existing ..sites-available/default file? Does this add to what's there already, or do I replace what's there with this (and does the order matter)? Sorry, I have a very basic configuration and haven't had to delve into this.
-Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
