Nicolas Baradakis wrote:
I see one advantage to use Access-Request "pings": I can test both the RADIUS server and the MySQL backend with a single check.
Yes.
A FreeRADIUS proxy uses real users to ping the RADIUS servers, and that's troublesome for the reasons outlined in your draft. Keepalived deals with the problem differently: you can setup a special account to run the monitor checks. Therefore you don't really care whether the statistics of the user keepalived@realm.net are wrong.
That's for strictly local testing. I would suggest allowing this only from localhost, or with certain VSA's that will never come in a RADIUS packet. I'll add a paragraph about this situation. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog