I don't just call ntlm_auth Because I want to simulate the entire EAP
request (as if it is another of my wireless controllers) and get regular
logs from radius that the server is responding. If some (although it
hasn't happened!) piece of my radius stack has a problem (say, the mysql
connections break for some reason) I want a full restart of the service.
Just testing authentication doesn't give me a full radius stack picture.
- John Douglass
Georgia Institute of Technology
Sr. Systems Architect
On 05/06/2013 12:25 PM, Phil Mayers wrote:
On 06/05/2013 14:40, John Douglass wrote:
ntlm_auth talks to winbind. Winbind maintains a single long-lived
connection to a single AD controller.
It can take anything up to 60 seconds for winbind to realise this
connection has gone down, during which time all ntlm_auth will hang or
fail. This has caused us problems on a number of occasions.
So in fact, your approach is interesting to me; have you tested it
e.g. by using iptables/ipfw to block access to an AD controller and
seeing if it fails over?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
I wrote a script that does an eapol_test every minute. If it fails, it
immediately tries twice more. If THAT fails, then I restart winbind,
restart radius, and things continue on their happy way.
That'll work too, although I wonder why you're not just calling
ntlm_auth?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
