Proxying Eap Requests in round robbin.
Alan DeKok
aland at deployingradius.com
Tue Mar 20 12:30:47 CET 2007
Arran Cudbard-Bell wrote:
> Whats happening if the first round of authentication will go to
> radius1.uscs.susx.ac.uk
>
> Second will go to radius2.uscs.susx.ac.uk, but the second doesn't know
> about the previous request and bails out with.
Round robin && EAP don't work together very well.
> So firstly is EAP proxying actually possible ?
Yes. Many people are using it. Round-robin, on the other hand, isn't
currently possible. It would require additional code in the server.
It's not hard, but it hasn't been done yet.
> Secondly is there something really stupid i've missed ?
Nope.
> There are two ways I can see this working, either the proxy server
> directs all the authentication rounds for one session to one proxy
> server. Or the eap module on either backend instance figures out what
> the previous part of the conversation was.
If it's proxying, the EAP module isn't being used.
> Also I noticed this entry in eap.conf
>
> # A list is maintained to correlate EAP-Response
> # packets with EAP-Request packets. After a
> # configurable length of time, entries in the list
> # expire, and are deleted.
> #
> timer_expire = 60
>
> Anyone know where this list actually exists ?
> If it's just in memory or an actual file ?
It's in the EAP module. And it's only used when the server is doing
the EAP authentication.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list