FreeRADIUS + LVS problem
aland at deployingradius.com
Sat Feb 17 01:44:58 CET 2007
Sam Schultz wrote:
> According to my research, FreeRADIUS supposedly does work from
> behind an LVS load balancer. My current configuration works
> perfectly outside of the LVS, but once it is put behind the LVS it
> ceases to work. Connections seem to succeed even behind the LVS,
> until they get to an access challenge, where I get:
> rad_recv: Access-Challenge packet from host 192.168.240.111:5058,
> id=42, length=64 Authentication reply packet code 11 sent to a non-
> proxy reply port from client WPA_Test:5058 - ID 42 : IGNORED
Somehow Access-Challenge packets are being sent to the RADIUS server.
This could be because some UDP-level routing is incorrect in LVS.
>>From what little information I could find on this, it looks like
> the freeradius thinks these are proxied requests due to ip mangling
> done by the LVS load balancer (Basically, it's a 1:1 NAT).
Even if the LVS load balancer is doing IP mangling, it has no business
sending Access-Challenges to a RADIUS server on port 1812. Those
challenges are sent FROM the server, and should have been sent back to
A larger problem with LVS is that if you're doing Access-Challenges,
the responses MUST go back to the RADIUS server that sent the challenge.
So a UDP-level load balancer that doesn't understand RADIUS may not work.
> P.S. Alan, I would definitely think this (LVS + FreeRADIUS) would
> be a good topic for your book
I plan on having a chapter on that, yes. I've been trying to get Xen
installed on a machine, without much luck. (Xen gets part way through
booting... stops... and reboots).
As for your other message:
> I was thinking there may be some way to coerce FR into
> thinking the load balancer is another radius server sending over
> proxied requests, or something like that.
The simplest way to do that is (perhaps not surprisingly) to run
FreeRADIUS as a proxy, doing RADIUS-aware load balancing. Since that
machine won't be doing authentication (DB's are slow), there's no reason
it can't handle proxying 5k RADIUS requests/s.
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users