Robust Authentication Proxying

Ivan Kalik tnt at kalik.net
Fri Jul 10 11:05:37 CEST 2009


> I'm trying to setup a robust RADIUS authentication proxy.  All this
> radius will do is proxy all auth requests to a set of four backend
> RADIUS handlers.  I have a 2.1.6 server that I've configured with four
> home_server entries and one home_server_pool that load-balances across
> the four.  It works when all four backends are up, but if any 1 of the
> backend goes down, then requests that get directed to that backend
> result in an Access-Reject packet being returned to the NAS.  Is there
> a way to configure freeradius so that instead of returning an Access-
> Reject packet, the server will instead switch to the next configured
> server and retry the request there?  It may mean that it takes a
> little longer for the request to be handled, but that's better than it
> being rejected.

No, but you can enable do_not_respond policy (see policy.conf). Server
then won't respond to the NAS. That should result in repeated request
which should (chances are) end up with different home server. This would
be in effect during zombie period. Once the home server is marked dead no
requests will go to it.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list