FreeRADIUS and EDUROAM timeout issues
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Thu Oct 9 17:14:02 CEST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>> Really in an system of chained proxy servers like EDUROAM you only want
>> to be testing first hop connectivity.
>
> Exactly.
>
>> Alan, do you think it might be a good idea to provide an option to
>> disregard failures from standard authentication requests, and instead
>> use periodic status_checks to mark servers alive or dead?
>
> How about having it send Status-Server packets (or whatever you
> configure) at the START of the zombie period. i.e. as soon as it
> determines that the server hasn't responded to a request, start pinging
> it with Status-Server packets.
That'd work. So when a server is marked as a Zombie Access-Requests
still sent to it until the Zombie period has expired? If so do responses
to Access-Requests sent during the Zombie Period force the server live
again?
But of course you can't guarantee successful authentication within the
Zombie Period... So you send the Status-Server packets before you Mark
the server as dead, if the server responds then the first hop is good,
and it's the ORPS that's dead. If it doesn't, then the first hop is bad
and we fail over to another server.
>
> If it responds to the Status-Server, it will be marked "live", even if
> it doesn't respond to Access-Request packets.
>
> That will help, but the only solution to working with broken servers
> is to implement the N x M realm/server management.
>
Thanks,
Arran
- --
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjuH7oACgkQcaklux5oVKJb8wCfb3ZEDi5ZVuCmHzA4HR05jHF9
WacAniG+Vpf7rGZBHE2m94RzQuR5oTsF
=8Om7
-----END PGP SIGNATURE-----
More information about the Freeradius-Users
mailing list