Proxying Eap Requests in round robbin

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Tue Mar 20 17:15:49 CET 2007 

> Message: 2
> Date: Tue, 20 Mar 2007 12:30:47 +0100
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Proxying Eap Requests in round robbin.
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <45FFC5E7.7010801 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Arran Cudbard-Bell wrote:
> 
>> Whats happening if the first round of authentication will go to 
>> radius1.uscs.susx.ac.uk
>>
>> Second will go to radius2.uscs.susx.ac.uk, but the second doesn't know 
>> about the previous request and bails out with.
> 
>   Round robin && EAP don't work together very well.
> 
>> So firstly is EAP proxying actually possible ?
> 
>   Yes.  Many people are using it.  Round-robin, on the other hand, isn't
> currently possible.  It would require additional code in the server.
> 
>   It's not hard, but it hasn't been done yet.
> 
>> Secondly is there something really stupid i've missed ?
> 
>   Nope.
> 
>> There are two ways I can see this working, either the proxy server 
>> directs all the authentication rounds for one session to one proxy 
>> server. Or the eap module on either backend instance figures out what 
>> the previous part of the conversation was.
> 
>   If it's proxying, the EAP module isn't being used.
> 
>> Also I noticed this entry in eap.conf
>>
>>                  #  A list is maintained to correlate EAP-Response
>>                  #  packets with EAP-Request packets.  After a
>>                  #  configurable length of time, entries in the list
>>                  #  expire, and are deleted.
>>                  #
>>                  timer_expire     = 60
>>
>> Anyone know where this list actually exists ?
>> If it's just in memory or an actual file ?
> 
>   It's in the EAP module.  And it's only used when the server is doing
> the EAP authentication.
> 
>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> 
Damn, so theres no way to do load balancing with radius packets 
containing EAP attributes ?

Completely different topic, but is it normal for freeRADIUS to authorize 
the user in each round of authentication ? Can it not cache the 
credentials from the LDAP / SQL database ? Or is it doing that already 
transparently?

Thankyou very much for your quick response anyway, saved me hours of 
head scratching.


Regards,
Arran
-- 
Arran Cudbard-Bell (ac221 at sussex.ac.uk)
Authentication Authorisation & Accounting Officer
Infrastructure Services | ENG1 FF08
EXT:3900

More information about the Freeradius-Users mailing list