Re: Proxying Eap Requests in round robbin
Arran Cudbard-Bell wrote: > Damn, so theres no way to do load balancing with radius packets > containing EAP attributes ? As always, patches are welcome. :) > Completely different topic, but is it normal for freeRADIUS to authorize > the user in each round of authentication ? Can it not cache the > credentials from the LDAP / SQL database ? Or is it doing that already > transparently? It's normal. It's not caching the credentials. The problem is that it's difficult for the EAP module to say "now I need authentication information". So it's easier to just always query the DB, even though it's inefficient. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying Eap Requests in round robbin
> Message: 2 > Date: Tue, 20 Mar 2007 12:30:47 +0100 > From: Alan DeKok <[EMAIL PROTECTED]> > Subject: Re: Proxying Eap Requests in round robbin. > To: FreeRadius users mailing list > > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Arran Cudbard-Bell wrote: > >> Whats happening if the first round of authentication will go to >> radius1.uscs.susx.ac.uk >> >> Second will go to radius2.uscs.susx.ac.uk, but the second doesn't know >> about the previous request and bails out with. > > Round robin && EAP don't work together very well. > >> So firstly is EAP proxying actually possible ? > > Yes. Many people are using it. Round-robin, on the other hand, isn't > currently possible. It would require additional code in the server. > > It's not hard, but it hasn't been done yet. > >> Secondly is there something really stupid i've missed ? > > Nope. > >> There are two ways I can see this working, either the proxy server >> directs all the authentication rounds for one session to one proxy >> server. Or the eap module on either backend instance figures out what >> the previous part of the conversation was. > > If it's proxying, the EAP module isn't being used. > >> Also I noticed this entry in eap.conf >> >> # A list is maintained to correlate EAP-Response >> # packets with EAP-Request packets. After a >> # configurable length of time, entries in the list >> # expire, and are deleted. >> # >> timer_expire = 60 >> >> Anyone know where this list actually exists ? >> If it's just in memory or an actual file ? > > It's in the EAP module. And it's only used when the server is doing > the EAP authentication. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > Damn, so theres no way to do load balancing with radius packets containing EAP attributes ? Completely different topic, but is it normal for freeRADIUS to authorize the user in each round of authentication ? Can it not cache the credentials from the LDAP / SQL database ? Or is it doing that already transparently? Thankyou very much for your quick response anyway, saved me hours of head scratching. Regards, Arran -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation & Accounting Officer Infrastructure Services | ENG1 FF08 EXT:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying Eap Requests in round robbin.
Arran Cudbard-Bell wrote: > Whats happening if the first round of authentication will go to > radius1.uscs.susx.ac.uk > > Second will go to radius2.uscs.susx.ac.uk, but the second doesn't know > about the previous request and bails out with. Round robin && EAP don't work together very well. > So firstly is EAP proxying actually possible ? Yes. Many people are using it. Round-robin, on the other hand, isn't currently possible. It would require additional code in the server. It's not hard, but it hasn't been done yet. > Secondly is there something really stupid i've missed ? Nope. > There are two ways I can see this working, either the proxy server > directs all the authentication rounds for one session to one proxy > server. Or the eap module on either backend instance figures out what > the previous part of the conversation was. If it's proxying, the EAP module isn't being used. > Also I noticed this entry in eap.conf > > # A list is maintained to correlate EAP-Response > # packets with EAP-Request packets. After a > # configurable length of time, entries in the list > # expire, and are deleted. > # > timer_expire = 60 > > Anyone know where this list actually exists ? > If it's just in memory or an actual file ? It's in the EAP module. And it's only used when the server is doing the EAP authentication. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying Eap Requests in round robbin.
Hi,
I have two backend RADIUS servers with a front end proxy server.
All servers are running 1.1.5.
Authentication type is EAP-PEAP.
On the front end i've got a stripped down radiusd.conf just doing Realm
detection and proxying.
And a proxy.conf
realm sussex.ac.uk {
type = RADIUS
authhost = radius1.uscs.susx.ac.uk:1812
accthost = radius1.uscs.susx.ac.uk:1813
secret = 31charhashedsecret
ldflag = round_robin
nostrip
}
realm sussex.ac.uk {
type = RADIUS
authhost = radius2.uscs.susx.ac.uk:1812
accthost = radius2.uscs.susx.ac.uk:1813
secret = 31charhashedsecret
ldflag = round_robin
nostrip
}
Whats happening if the first round of authentication will go to
radius1.uscs.susx.ac.uk
Second will go to radius2.uscs.susx.ac.uk, but the second doesn't know
about the previous request and bails out with.
modcall: entering group authenticate for request 0
rlm_eap: Request not found in the list
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown
EAP-request
So firstly is EAP proxying actually possible ?
Secondly is there something really stupid i've missed ?
There are two ways I can see this working, either the proxy server
directs all the authentication rounds for one session to one proxy
server. Or the eap module on either backend instance figures out what
the previous part of the conversation was.
Also I noticed this entry in eap.conf
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
Anyone know where this list actually exists ?
If it's just in memory or an actual file ?
Thanks,
Arran Cudbard-Bell
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication Authorisation & Accounting Officer
Infrastructure Services | ENG1 FF08
EXT:3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
