EAP proxing with client-balance

Alan DeKok aland at deployingradius.com
Sat Oct 10 18:22:22 CEST 2009

Alexander Clouter wrote:
> Does mean that client-balance, client-port-balance and keyed-balance do 
> not do as advertised on the tin though which I would want to grumble 
> about being a Bad Thing(tm).

  Err... that's not at all what I said.  They work, and they have
*nothing* to do with changes to the EAP module.

> It is a receiver side only fix mind you that does not stop FreeRADIUS 
> (or anything else) shifting packets to the wrong place.  The fix is that 
> you need to remove any uncertainty about where the traffic goes and 
> having that load comparison[1] and an explicit call to a random 
> shuffler royally breaks things by making things unpredictable.

  The only random code in the "find home server' function hasn't changed
in nearly 2 1/2 years.

> In the 'eduroam' case, if we removed the national RADIUS servers, and 
> lets say I delivered the packets straight to the remote end, nothing 
> stops FreeRADIUS delivering half an EAP session to the wrong box which 
> would result in an Access-Reject.
> I would argue you actually want to keep the src_ipaddr check to pick up 
> on upstream *broken* load balancers, unfortunately it's just currently 
> FreeRADIUS does have a broken load balancer.

  Could you be more specific?

> For what it is worth, NAK? :)
> Cheers
> [1] obviously you still want the max outstanding check there, but you 
> 	have to think of the case of (such as for us) where 
> 	'outstanding_sessions' is zero ~100% of the time

  Maybe what you want is "pick the first live one, even if it's less
used than the others".

  Alan DeKok.

More information about the Freeradius-Devel mailing list