[RADIATOR] AuthBy LDAP2 and FailureBackoffTime

Thu, 03 Jun 2021 07:14:37 -0700 

Hello,
I'm running two Radiator servers for authentication of our users in cesnet.cz realm on our eduroam WiFi. Each Radiator has a dedicated LDAP server. WiFi is controlled by a WLC. I expected that if any of RADIUSes fails WLC will fail back to another. That is true for the RADIUS server, but not for LDAP server failure. 


In case there is the LDAP server failure, the Radiator returns 
access-reject for default FailureBackoffTime = 600s. WLC has no chance 
to discover that there is a problem because it receives a response and 
continues to send clients to the failing RADIUS server. Is there any 
chance how to not respond to request when AuthyBy LDAP2 fails?



Is there a chance to re-check failed LDAP server before 
FailureBackoffTime expires? When there is no remaining LDAP server in 
Host pool this waiting doesn't make much sense?



At this moment I reduced FailureBackoffTime from 600s to 60s and 
provided multiple LDAP servers to AuthBy LDAP2. Which seems to be working.


My config:

<AuthBy LDAP2>
        Identifier Check2017LDAP

        UsernameMatchesWithoutRealm yes

        Host                    ldap
        Port                    636
        UseSSL
        SSLCAFile               /etc/radiator/certs/chain_CESNET_CA4.pem
        FailureBackoffTime      60

        AuthDN                  xxxx
        AuthPassword            xxxx

        BaseDN                  dc=cesnet,dc=cz
        UsernameAttr            uid
        PasswordAttr            radiusPassword

        AuthAttrDef             radiusTunnelPrivateGroupID, 
Tunnel-Private-Group-ID, reply
        SearchFilter 
(&(%0=%1)(|(objectClass=eduroamTestAccount)(objectClass=radiusUser)))

        EAPType                 PEAP,MSCHAP-V2,LEAP,TTLS

        # 2. 11. 2018 Semik - prestavame posilat korenovy certifikat
        EAPTLS_CAPath           /etc/ssl/certs/null
        EAPTLS_CertificateFile  /etc/radiator/certs/radius.cesnet.cz.crt
        EAPTLS_CertificateType  PEM
        EAPTLS_PrivateKeyFile   /etc/radiator/certs/radius.cesnet.cz.key
        EAPTLS_PrivateKeyPassword xxxx
        EAPTLS_MaxFragmentSize  1000
        EAPTLS_SessionContextId %0%n%2%{Called-Station-Id}

        AutoMPPEKeys

        EAPTLS_PEAPVersion      0

        EAPAnonymous            %n

        SSLeayTrace             0
</AuthBy>

<Handler Realm=cesnet.cz, TunnelledByTTLS=1>
        AuthBy  Check2017LDAP
</Handler>

<Handler Realm=cesnet.cz, TunnelledByPEAP=1>
        AuthBy  Check2017LDAP
</Handler>

<Handler Realm=cesnet.cz>
        AuthBy  Check2017LDAP
        AuthLog authlogger
        AuthLog FTICKS-FULL

        AddToReplyIfNotExist    Tunnel-Type=1:VLAN,\
                                Tunnel-Medium-Type=1:Ether_802
</Handler>

Best regards
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator






















					Reply via email to