This is my proxy.conf. The only value I've adjusted so far is response window (from 20 down to 5). Otherwise, I believe it's configured correctly to failover between the two home servers. I'll have to work on the debugs.


proxy server {
        default_fallback        = yes
}

home_server proxy1 {
        type                    = auth+acct
        ipaddr                  = x.x.x.x
        port                    = 1812
        secret                  = xxxxxxxxxx
        response_window         = 5
        zombie_period           = 40
        revive_interval         = 60
        status_check            = status-server
        check_interval          = 30
        num_answers_to_alive    = 3
}

home_server proxy2 {
        type                    = auth+acct
        ipaddr                  = x.x.x.x
        port                    = 1812
        secret                  = xxxxxxxxxxxx
        response_window         = 5
        zombie_period           = 40
        revive_interval         = 60
        status_check            = status-server
        check_interval          = 30
        num_answers_to_alive    = 3
}

home_server_pool EDUROAM-FTLR {
        type                    = fail-over
        home_server             = proxy1
        home_server             = proxy2
}

realm mydomain.ca {
          strip
}

realm LOCAL {
          nostrip
}

realm NULL {
          nostrip
}

realm DEFAULT {
        pool = EDUROAM-FTLR
        nostrip
}

-Mike



On Wed, 5 Dec 2012, Alan Buxey wrote:

Hi,

This is the RedHat RPM which I believe are maintained by RedHat.
Hopefully they've back ported any major security issues!

got the changelog for the 2.1.12 RPM release you are running?

It does both autentication and proxy and I do have status-check
enabled. On the contraller I increased the default timeout from 2
seconds up to 8 seconds. At the same time I lowered the

2 seconds is very low for international RADIUS proxying...the traffic
needs to get to the end site...and then be dealt with by the end site
(which may take 1 - many seconds to actually authenticate the user
once the tunnel is created). somewhere around 10 seconds is the maximum
I would expect for global roaming authentication via multple proxy peers

the RADIUS server is at the mercy of the controller and the remote sites...
who might not be answering at all...they could just reject.

I havent seen a sanity error message like that since the troublesome 2.1.7 - 
2.1.9
days when the proxy code got some rewrites in places.....

I wonder if your proxy.conf for the home server stuff is correct and not
flipping requests between remote proxys?

what does the server show/say in full debug mode with a test remote account?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to