EAP proxing with client-balance

[Alan DeKok]

Alexander Clouter wrote:
> <ramble>
> I used 'keyed-balance' as 'client-balance'/'client-port-balance' load 
> balance terribly when your NAS's use the same source port and most of 
> our traffic comes from the same IP (the single infernal WLC 4400 we 
> have).

  They're meant to be used with more than one client.

> Looking closer at the detail logs I saw that mid-EAP conversation the 
> packets started to get proxied to different national proxies which 
> resulted (expectedly) with a Access-Reject; also explaining why my 
> counterparts never saw an inner authentication.

  Ah.  If they're going through different proxies, but making back to
the *same* home server, that will be an issue.

> Looks like MS IAS does not really care where the proxied packets come 
> from, it only key's on Proxy-State (I'm guessing here); FreeRADIUS being 
> a lot more picky...which is just what I like :)  With this in mind I 
> moved to 'fail-over' and everything started working.  Alas I cannot 
> leave it on 'fail-over' otherwise Alan Buxey gets grumbly.

  I won't speak ill of another Alan.

> The conclusion, we should not be paying any attention to 
> 'currently_outstanding' or 'fr_rand()' when there is EAP traffic; I 
> decided to add the clause !HOME_POOL_LOAD_BALANCE; things now work.
> 
> What do you think of the following patch, I think there is sound 
> reasoning behind it, however of course I am just a network monkey?

  Nope.  The solution is to fix the EAP module.  Edit
src/modules/rlm_eap.c, function eap_handler_cmp().  Delete the
comparison that checks src_ipaddr.

  The code already creates a unique State attribute for each EAP
session.  So it really doesn't need to check anything else.

  If that solves the problem, we can put the fix into 2.1.8.

  Alan DeKok.