Robust Authentication Proxying

Philip Molter hrunting at hrunting.org
Fri Jul 10 14:06:37 CEST 2009


On Jul 10, 2009, at 4:05 AM, Ivan Kalik wrote:

>> I'm trying to setup a robust RADIUS authentication proxy.  All this
>> radius will do is proxy all auth requests to a set of four backend
>> RADIUS handlers.  I have a 2.1.6 server that I've configured with  
>> four
>> home_server entries and one home_server_pool that load-balances  
>> across
>> the four.  It works when all four backends are up, but if any 1 of  
>> the
>> backend goes down, then requests that get directed to that backend
>> result in an Access-Reject packet being returned to the NAS.  Is  
>> there
>> a way to configure freeradius so that instead of returning an Access-
>> Reject packet, the server will instead switch to the next configured
>> server and retry the request there?  It may mean that it takes a
>> little longer for the request to be handled, but that's better than  
>> it
>> being rejected.
>
> No, but you can enable do_not_respond policy (see policy.conf). Server
> then won't respond to the NAS. That should result in repeated request
> which should (chances are) end up with different home server. This  
> would
> be in effect during zombie period. Once the home server is marked  
> dead no
> requests will go to it.

Yeah,that's what I'm doing.  The problem is that the retries are not  
being sent to a different home server (or any home server).  They are  
being dropped as retransmits because internally, freeradius is  
tracking that no reply was sent to them earlier.  I have tried  
treaking cleanup_delay to 0 or 1 to flush these out sooner, but it  
does not work -- they do not appear to be tracked the same way as  
normal responses.  Here are the debug messages from radiusd -X:

rad_recv: Access-Request packet from host 127.0.0.1 port 47163,  
id=155, length=59
Ignoring retransmit from client SERVERS port 47163 - ID: 155, no reply  
was configured

Is there any way to prevent an ignored response from being tracked  
this way so that retransmits will be treated as new requests?  Or am I  
just not sending enough retransmits?

Philip



More information about the Freeradius-Users mailing list