Re: [RADIATOR] Loadbalancing requests from Proxy
On 05/09/2013 11:09 PM, Michael Hulko wrote: We have been requested to try and loadbalance requests to a Campus department with their own Radius (IAS) server for their wireless users. Hello Michael, you mentioned campus and wireless LAN which makes me think there is EAP, such as PEAP or TTLS, involved. If so, you would need to use AuthBy EAPBALANCE to make sure the EAP authentication sessions are always handled by the same IAS server. Otherwise you will see failures and timeouts when the IAS servers receive requests they are not expecting. The Trace 4 log was not included, but I'd first check how it works with EAPBALANCE. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Unexpected behavior with UseStatusServerForFailureDetect in AuthBy LOADBALANCE
On 05/10/2013 02:33 AM, Todor Genov wrote: I have found an issue where the Retries clause is ignored when using UseStatusServerForFailureDetect with AuthBy LOADBALANCE. Hello Todor, We have recently received reports about Status-Server probing and there appears to be some issues that require a further look from us. However, before doing anything else, please check the reference manual for 'FailureBackoffTime' and especially this note: Caution: with most types of load balancing modules, the default of 0 will mean endless retransmission of each request until a reply is received. Since you have not specified FailureBackoffTime it defaults to 0 and might be the cause of the problem you see. Thanks, Heikki In a scenario where a downstream proxy becomes unresponsive requests enter a re-transmit loop until the next Status-Server keepalive detects the host has failed and only then requests are ignored. To replicate use the following config: Realm DEFAULT AuthBy LOADBALANCE Retries 3 RetryTimeout 1 UseStatusServerForFailureDetect KeealiveTimeout 300 NoreplyTimeout 1 Host localhost AuthPort 1822 AcctPort 1823 /Host /AuthBy /Realm A single Access-Request is re-transmitted 300 ( KeepaliveTimeout/RetryTimeout ) times instead of 3. Once the request is eventually ignored the following can be seen in the logs: Fri May 10 01:19:33 2013: INFO: AuthRADIUS : Could not find a working host to forward a (76) after 301 seconds. Ignoring Fri May 10 01:19:33 2013: INFO: AuthRADIUS : No reply after 301 seconds and 3 retransmissions to 127.0.0.1:1822 for a (227) When using the same config with AuthBy RADIUS the behavior is as expected and the request is re-transmitted only three times then ignored: Fri May 10 01:08:41 2013: INFO: AuthRADIUS : Could not find a working host to forward a (1) after 4 seconds. Ignoring Fri May 10 01:08:41 2013: INFO: AuthRADIUS : No reply after 4 seconds and 3 retransmissions to 127.0.0.1:1822 for a (129) Thanks. -- todor ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Loadbalancing requests from Proxy
Thanks for the suggestion.. this seems to alleviate the timeouts that I had noticed previously. (Log file was sent separately). MH On 2013-05-10, at 5:26 AM, Heikki Vatiainen wrote: On 05/09/2013 11:09 PM, Michael Hulko wrote: We have been requested to try and loadbalance requests to a Campus department with their own Radius (IAS) server for their wireless users. Hello Michael, you mentioned campus and wireless LAN which makes me think there is EAP, such as PEAP or TTLS, involved. If so, you would need to use AuthBy EAPBALANCE to make sure the EAP authentication sessions are always handled by the same IAS server. Otherwise you will see failures and timeouts when the IAS servers receive requests they are not expecting. The Trace 4 log was not included, but I'd first check how it works with EAPBALANCE. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator