FreeRADIUS + LVS problem

Alan DeKok aland at deployingradius.com
Sat Feb 17 01:44:58 CET 2007 

Sam Schultz wrote:
> According to my research, FreeRADIUS supposedly does work from 
> behind an LVS load balancer.  My current configuration works 
> perfectly outside of the LVS, but once it is put behind the LVS it 
> ceases to work.  Connections seem to succeed even behind the LVS, 
> until they get to an access challenge, where I get:
> 
> rad_recv: Access-Challenge packet from host 192.168.240.111:5058, 
> id=42, length=64 Authentication reply packet code 11 sent to a non-
> proxy reply port from client WPA_Test:5058 - ID 42 : IGNORED

  Somehow Access-Challenge packets are being sent to the RADIUS server.
 This could be because some UDP-level routing is incorrect in LVS.

>>From what little information I could find on this, it looks like 
> the freeradius thinks these are proxied requests due to ip mangling 
> done by the LVS load balancer (Basically, it's a 1:1 NAT).

  Even if the LVS load balancer is doing IP mangling, it has no business
sending Access-Challenges to a RADIUS server on port 1812.  Those
challenges are sent FROM the server, and should have been sent back to
the NAS.

  A larger problem with LVS is that if you're doing Access-Challenges,
the responses MUST go back to the RADIUS server that sent the challenge.
   So a UDP-level load balancer that doesn't understand RADIUS may not work.

> P.S. Alan, I would definitely think this (LVS + FreeRADIUS) would 
> be a             good topic for your book

  I plan on having a chapter on that, yes.  I've been trying to get Xen
installed on a machine, without much luck.  (Xen gets part way through
booting... stops... and reboots).

  As for your other message:

> I was thinking there may be some way to coerce FR into
> thinking the load balancer is another radius server sending over
> proxied requests, or something like that.

  The simplest way to do that is (perhaps not surprisingly) to run
FreeRADIUS as a proxy, doing RADIUS-aware load balancing.  Since that
machine won't be doing authentication (DB's are slow), there's no reason
it can't handle proxying 5k RADIUS requests/s.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

More information about the Freeradius-Users mailing list