EAP proxing with client-balance
Alan DeKok
aland at deployingradius.com
Sat Oct 10 18:22:22 CEST 2009
Alexander Clouter wrote:
> Does mean that client-balance, client-port-balance and keyed-balance do
> not do as advertised on the tin though which I would want to grumble
> about being a Bad Thing(tm).
Err... that's not at all what I said. They work, and they have
*nothing* to do with changes to the EAP module.
> It is a receiver side only fix mind you that does not stop FreeRADIUS
> (or anything else) shifting packets to the wrong place. The fix is that
> you need to remove any uncertainty about where the traffic goes and
> having that load comparison[1] and an explicit call to a random
> shuffler royally breaks things by making things unpredictable.
The only random code in the "find home server' function hasn't changed
in nearly 2 1/2 years.
> In the 'eduroam' case, if we removed the national RADIUS servers, and
> lets say I delivered the packets straight to the remote end, nothing
> stops FreeRADIUS delivering half an EAP session to the wrong box which
> would result in an Access-Reject.
>
> I would argue you actually want to keep the src_ipaddr check to pick up
> on upstream *broken* load balancers, unfortunately it's just currently
> FreeRADIUS does have a broken load balancer.
Could you be more specific?
> For what it is worth, NAK? :)
>
> Cheers
>
> [1] obviously you still want the max outstanding check there, but you
> have to think of the case of (such as for us) where
> 'outstanding_sessions' is zero ~100% of the time
Maybe what you want is "pick the first live one, even if it's less
used than the others".
Alan DeKok.
More information about the Freeradius-Devel
mailing list