On 12/06/2012 10:16 AM, Alan Buxey wrote:
Hi,
home_server_pool EDUROAM-FTLR { type = fail-over home_server = proxy1 home_server = proxy2 }
I would use:
type = client-port-balance
to balance between the 2. (that method ensures the EAP goes to one remote server)
realm DEFAULT { pool = EDUROAM-FTLR nostrip }
hmmmm, this isnt best practice if thats all you have for throwing stuff upstream. woulf strongly recommend using unlang to validate that the user has valid realm etc and then update the request to use a realm identifier (eg eduroam) and use that in proxy.conf instead - thus you are only sending valid users upstream (and not all the random typos and junk) as the upstream servers will like you more for that - and wont be dropping requests and messing you up.
To expand on Alan's statement a bit here - it's possible that users are associating with your eduroam SSID and sending all kinds of nonsense (I think the best I've seen is: <space>user@domain<newline><space>user@domain</newline><repeat 3 times> ...and that the upstream RADIUS servers are not replying, which is causing you to get these dropouts. You probably want something like this: authorize { if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) { # user has a valid-looking realm update request { Stripped-User-Name := "%{1}" Realm = "%{toupper:%{2}}" } } else { # malformed NAI update reply { Reply-Message := "malformed username" } reject } if (Realm == MY.REALM) { ... } else { update control { Proxy-To-Realm := DEFAULT } }