Question about SQL fail open in post-auth and keyed-balance use in load balancing configuration
Question 1: I thought I once read how to add this "fail open" in regards to using an SQL module. I have a table that gets updated after an auth, but if the DB is slow or there is a network issue, I want it to go on. It's not vital to auth the user, just using it as a "location update" of sorts. Is this the correct configuration for this behavior? post-auth { redundant { sql_location handled } } Question 2: I am experimenting with load balancing. I read the comments about keyed-balance: # keyed-balance - the home server is chosen by hashing (FNV) the contents of the Load-Balance-Key attribute from the control items. The request is then sent to home server # chosen by taking: # server = (hash % num_servers_in_pool). # # If there is no Load-Balance-Key in the control items, the load balancing method is identical to "load-balance". # # For most non-EAP authentication methods, The User-Name attribute provides a good key. An "unlang" policy can be used to copy the User-Name to the Load-Balance-Key # attribute. This method may not work for EAP sessions, as the User-Name outside of the TLS tunnel is often static, e.g. "anonymous@realm". If the username is a bad choice, I figured that the Calling-Station-Id (which in my case is the client MAC) would be a way to consistently have the same Load-Balance-Key. I am adding this to my server {} section: pre-proxy { update control { Load-Balance-Key := "%{Calling-Station-Id}" } updated } But I am only seeing use of one of the defined proxy servers as defined in my "home_server_pool {}" section when I force auth's to this server. Would not expect every MAC address to hash to the same radius back end given the variation of MAC addresses: home_server = vm1 home_server = vm2 Is the above pre-proxy{} segment doing what I think it should do? Update the Load-Balance-Key to the control before it hits the proxy segment? Just want some confirmation that I am on the right track or I am going about this wrong (or if what I'm trying is not a good idea/possible). Thanks! - John Douglass, Sr. Systems IT/Architect, Georgia Institute of Technology
John Douglass wrote:
Question 1: I thought I once read how to add this "fail open" in regards to using an SQL module. I have a table that gets updated after an auth, but if the DB is slow or there is a network issue, I want it to go on. It's not vital to auth the user, just using it as a "location update" of sorts.
Is this the correct configuration for this behavior?
post-auth { redundant { sql_location handled } }
No. You want: post-auth { redundant { sql_location ok } } The "handled" code means something else.
Question 2: I am experimenting with load balancing. I read the comments about keyed-balance:
Yes... we've seen that text before. There's no need to re-post it to the list.
If the username is a bad choice, I figured that the Calling-Station-Id (which in my case is the client MAC) would be a way to consistently have the same Load-Balance-Key.
I am adding this to my server {} section:
pre-proxy { update control { Load-Balance-Key := "%{Calling-Station-Id}" } updated }
Which is too late. You've got to update the Load-Balance-Key attribute *before* the proxying starts. The reason is that the pre-proxy stage runs after the home server is chosen. This is so that you can do packet re-writing which is specific to the home server. And, set the "home_server_pool" to have "type = keyed-balance" Alan DeKok.
participants (2)
-
Alan DeKok -
John Douglass