On 29 Nov 2012, at 09:21, Stefan Kuegler <[email protected]> wrote:
> Hi Arran.
>
>>> You could also use rlm_replicate to duplicate the packet, but there's
>>> currently no way of checking the aliveness of a realm at runtime, so you'd
>>> end up sending duplicate requests to whatever the primary OTP server was.
>>
>> and that wouldn't help if you were actually wanting to authenticate the user
>> instead of just performing some kind of synchronisation between the OTP
>> servers.
>>
>>
> Because we don't have any multicast-infrastructure, I will try rlm_replicate.
You can't setup a VLAN between the OTP servers and the RADIUS server? You don't
need all the fancy IGMP/PIM stuff if you can get the devices in the same L2
domain.
> Do you have some information, which files do I have do modify ?
>
> Thanks for your help.
>
Sure, you use the control attribute Proxy-To-Realm to specify multiple realms
to replicate to, and then call the replicate module.
update control {
Replicate-To-Realm := <foo>
Replicate-To-Realm += <bar>
}
replicate
Thinking about it you may be able to setup something like:
proxy.conf:
home_server otp0 {
type = acct
ipaddr = <foo>
port = 1812
secret = <bar>
}
home_server otp1 {
type = acct
ipaddr = <foo>
port = 1812
secret = <bar>
}
home_server_pool otp0 {
home_server = otp1
home_server = otp0
}
home_server_pool otp1 {
home_server = otp0
home_server = otp1
}
realm otp0 {
auth_pool = otp0
}
realm otp1 {
auth_pool = otp1
}
sites-available/default:
authorize {
update control {
Proxy-To-Realm := otp0
Replicate-To-Realm := otp1
}
replicate
}
IIRC home server state is tracked on a per homeserver basis (irrespective of
pool), and proxy-to-realm and replicate-to-realm will only replicate to the
first alive server in a given pool. So the above *may* do exactly what you
want, with the caveat that the replicated packets won't be retransmitted if
they're lost.
Should work ok in v2.x.x
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
