On 15/05/12 13:21, Julien Cornuwel wrote:
Thanks to both of you for taking the time to answer.
I would strongly recommend you migrate to FR 2.1.12 - not only is it maintained, with latest features, bug fixes etc but it is also faster.
Unfortunately, this is not an option. HPIDM3 (a radius plugin provided by HP) doesn't work with Radius 2, and there is no way we can buy the upgrade to HPIDM4 any time soon. So I'm stuck with 1.1.x
At the very least, upgrade to 1.1.8
Anyway, I can live with a server that crashes once in a while, as long as I can detect it. The default timeout on the switches is 60 seconds, which is plenty enough to start a daemon and move a virtual IP...
This brings me back to my second question: how do you monitor your Radius servers ? I haven't been able to find anything except very basic Nagios checks...
You implied you wanted to test a "real" authentication and tried to replay one, which didn't (and shouldn't) work. Instead, I recommend you download the wpa_supplicant sources, and compile eapol_test. Write a wrapper script to run this, and perform a full 802.1x auth against the server. If it fails, it's down and you need to restart it. We do something like this: #!/bin/bash EAPOL_TEST=/usr/local/bin/eapol_test CFG=`mktemp` BUF=`mktemp` trap "rm -f $CFG $BUF" EXIT # write out the eapol_test config file cat <<EOF >$CFG network={ ssid="example 802.1x network" key_mgmt=IEEE8021X eap=PEAP phase2="auth=MSCHAPV2" identity="user@domain" password="XXX" } EOF # run eapol_test $EAPOL_TEST -c $CFG -a 127.0.0.1 -p 1812 -s testing123 >$BUF 2>&1 if [ $? -ne 0 ] then echo eapol_test failed exit 1 fi # it's fine exit 0