On 28 Sep 2011, at 12:11, Zeus V Panchenko wrote:
thanks for quick reply
Arran Cudbard-Bell (a.cudbardb@freeradius.org) [11.09.28 08:28] wrote:
Yes, home server pools let you specify a 'fallback' home server which can point to a virtual server. It should be working in v2.1.x but is currently broken in 3.x.
See proxy.conf for details.
if i have core.radius.my.domain as my primary radius server and fallback.radius.my.domain as radius installed on AP
than i need in proxy.conf
home_server_pool my_auth_failover { type = fail-over home_server = core.radius.my.domain fallback = fallback.radius.my.domain }
but than, I need configure EAP/TLS on fallback.radius.my.domain identical to core.radius.my.domain one, correct?
Correct.
since without the same server certificates my clients will not be able authenticate with fallback.radius.my.domain
am I correct?
Partially. If you're using your own CA, then you could just sign multiple sets of server certificates and trust your CA on the clients. Thats one of the neat things about the PKI model. If you're using a commercial CA, then the cost of all those certificates might be prohibitive, and you should be using CN field checking, so yes you'd probably want to use the same certificates on all servers, even though it increases the risk of private key exposure. -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !