Arran Cudbard-Bell wrote:
Whats happening if the first round of authentication will go to radius1.uscs.susx.ac.uk
Second will go to radius2.uscs.susx.ac.uk, but the second doesn't know about the previous request and bails out with.
Round robin && EAP don't work together very well.
So firstly is EAP proxying actually possible ?
Yes. Many people are using it. Round-robin, on the other hand, isn't currently possible. It would require additional code in the server. It's not hard, but it hasn't been done yet.
Secondly is there something really stupid i've missed ?
Nope.
There are two ways I can see this working, either the proxy server directs all the authentication rounds for one session to one proxy server. Or the eap module on either backend instance figures out what the previous part of the conversation was.
If it's proxying, the EAP module isn't being used.
Also I noticed this entry in eap.conf
# A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 60
Anyone know where this list actually exists ? If it's just in memory or an actual file ?
It's in the EAP module. And it's only used when the server is doing the EAP authentication. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog