EAP proxing with client-balance

Alan DeKok aland at deployingradius.com
Fri Oct 9 22:30:47 CEST 2009

Alexander Clouter wrote:
> <ramble>
> I used 'keyed-balance' as 'client-balance'/'client-port-balance' load 
> balance terribly when your NAS's use the same source port and most of 
> our traffic comes from the same IP (the single infernal WLC 4400 we 
> have).

  They're meant to be used with more than one client.

> Looking closer at the detail logs I saw that mid-EAP conversation the 
> packets started to get proxied to different national proxies which 
> resulted (expectedly) with a Access-Reject; also explaining why my 
> counterparts never saw an inner authentication.

  Ah.  If they're going through different proxies, but making back to
the *same* home server, that will be an issue.

> Looks like MS IAS does not really care where the proxied packets come 
> from, it only key's on Proxy-State (I'm guessing here); FreeRADIUS being 
> a lot more picky...which is just what I like :)  With this in mind I 
> moved to 'fail-over' and everything started working.  Alas I cannot 
> leave it on 'fail-over' otherwise Alan Buxey gets grumbly.

  I won't speak ill of another Alan.

> The conclusion, we should not be paying any attention to 
> 'currently_outstanding' or 'fr_rand()' when there is EAP traffic; I 
> decided to add the clause !HOME_POOL_LOAD_BALANCE; things now work.
> What do you think of the following patch, I think there is sound 
> reasoning behind it, however of course I am just a network monkey?

  Nope.  The solution is to fix the EAP module.  Edit
src/modules/rlm_eap.c, function eap_handler_cmp().  Delete the
comparison that checks src_ipaddr.

  The code already creates a unique State attribute for each EAP
session.  So it really doesn't need to check anything else.

  If that solves the problem, we can put the fix into 2.1.8.

  Alan DeKok.

More information about the Freeradius-Devel mailing list