EAP-TLS and PEAP redundancy options

Phil Mayers p.mayers at imperial.ac.uk
Tue Dec 4 18:20:39 CET 2007

>   There are patches to enable this, but they have not, as yet, been
> integrated.  In any case, they won't help you to fail over from one
> server to another.

If/when those patches get integrated, it would be highly useful to 
support failover between servers. I guess the requirements for this 
would be:

  1. Expose the openssl session cache config, so that distcache can be 
configured to share the SSL sessions between servers

  2. Implement some way of attaching the PEAP/TTLS tunnel state to the 
session cache, or otherwise be reachable by the other FreeRadius server, 
so that when resumption occurs the inner info can be (re)used for 

I don't know much about the OpenSSL session API, so the 2nd could be 
either very hard or trivial ;o)

More information about the Freeradius-Users mailing list