EAP-TLS and PEAP redundancy options

Alan DeKok aland at deployingradius.com
Tue Dec 4 21:09:04 CET 2007


Phil Mayers wrote:
>>
>>   There are patches to enable this, but they have not, as yet, been
>> integrated.  In any case, they won't help you to fail over from one
>> server to another.
> 
> If/when those patches get integrated, it would be highly useful to
> support failover between servers. I guess the requirements for this
> would be:

  Bleah.  I guess it's possible, but it's pretty ugly.

>  1. Expose the openssl session cache config, so that distcache can be
> configured to share the SSL sessions between servers

  As always, patches are welcome. :)

  On a related note, sharing the RADIUS packets between servers would be
a good idea.  It would avoid duplicate handling of Access-Request or
Accounting-Request.

>  2. Implement some way of attaching the PEAP/TTLS tunnel state to the
> session cache, or otherwise be reachable by the other FreeRadius server,
> so that when resumption occurs the inner info can be (re)used for
> authorization.

  You can register callbacks to store OpenSSL contexts somewhere outside
of main memory.  It's not hard, but it requires someone to write the code.

  Alan DeKok.



More information about the Freeradius-Users mailing list