EAP-TLS and PEAP redundancy options
Phil Mayers
p.mayers at imperial.ac.uk
Tue Dec 4 18:20:39 CET 2007
>
> There are patches to enable this, but they have not, as yet, been
> integrated. In any case, they won't help you to fail over from one
> server to another.
If/when those patches get integrated, it would be highly useful to
support failover between servers. I guess the requirements for this
would be:
1. Expose the openssl session cache config, so that distcache can be
configured to share the SSL sessions between servers
2. Implement some way of attaching the PEAP/TTLS tunnel state to the
session cache, or otherwise be reachable by the other FreeRadius server,
so that when resumption occurs the inner info can be (re)used for
authorization.
I don't know much about the OpenSSL session API, so the 2nd could be
either very hard or trivial ;o)
More information about the Freeradius-Users
mailing list