Robust Authentication Proxying

Alan DeKok aland at deployingradius.com
Fri Jul 10 18:35:27 CEST 2009


Philip Molter wrote:
> Thanks for your patience with this.  I'm migrating from an old RADIUS
> platform that supports this behavior to freeradius, and I'm just trying
> to make sure I get everything working.

  What behavior?  Failover from one home server to another?  FreeRADIUS
does this already.

  I think what you want is to have the re-transmits switch from one home
server to another *before* the first one has been marked dead.  This is
difficult to do automatically.  Something like "send retransmits to a
backup server" is possible, but can have cause other problems.

  But you can use "radmin" to do this manually.

> What I really want is just, instead of the request being marked as
> failed when one of the home servers doesn't respond, for the proxy
> subsystem to just try sending the request to another configured home
> server.

  But it already does that.  Run the server, and watch how it behaves.
As I said before, the difficulty is determining *when* to do this failover.

>  If the proxy has tried sending a request to every non-zombie
> home server in the list and still hasn't gotten anything, then it can
> mark the request as failed.

  Sorry, but it takes time to determine that a home server has failed.
By the time this decision has been made for 2-3 home servers, 30 seconds
have usually passed, and the NAS has given up on the request.

> The way I originally thought it was going to work is similar to how
> modules are load-balanced.  If I have five SQL servers loaded through 5
> named SQL module configs, it will try the first, then the second, then
> the third until one of them returns success.  It would be great if the
> proxy load-balancing could work the same way.

  Unless I'm really missing something, it already does this.  Just
configure "type = load-balance" in the home server pool.

  Have you done this?

  What do you expect the proxy to do with requests sent to a home server
that *might* be down?  How should the proxy decide that the home server
is down?  Be specific.  Draw flow diagrams...

  If you can come up with a better algorithm, then by all means we'll
implement it.  But coming up with an algorithm that works *well* from
limited information is hard.

  The issue with your configuration is that you are trying valiantly to
game the system.  You're setting the timers *way* too low, and the
marking the requests as failed too early.  When the NAS retransmits, you
claim you want the proxy to fail over to another server... AFTER you've
already told it to give up on the request.

  Your configuration is contradicting your stated needs.  Fix one or the
other so that there is no contradiction.

  Alan DeKok.



More information about the Freeradius-Users mailing list