EAP-TLS and PEAP redundancy options

John Paul JDPAUL at GoColumbiaMO.com
Mon Dec 3 19:50:28 CET 2007


I have 2 FreeRadius servers set up, configured nearly identically. The idea is that if one is unavailable the NAS should look for the other. I'm attempting 802.1X with Cisco 2950s, which allow you to specify multiple RADIUS servers and automatically failover when one is unreachable. The switches are configured to reauthenticate the client every 30 minutes or so.

The issue is that if a machine is authenticated and the server that did the authentication is down, the switch will contact the other server and the EAP conversation will fail, causing authentication to fail. Research indicates that this is because the client and server have agreed upon session specific symmetric keys that the new server does not know about. Is there a way to tell FreeRadius to tear down the session once the user has been authenticated so that the next authentication will work if using a different server? If not, is anyone working on a patch or other change to enable this? I'll be happy to write the patch but am unfamiliar with the code. Can you tell me roughly where to look?

More information about the Freeradius-Users mailing list