Robust Authentication Proxying

Alan DeKok aland at deployingradius.com
Fri Jul 17 14:48:42 CEST 2009


Philip Molter wrote:
> I have left it in as a configurable option.  I would rather someone not
> upgrade their freeradius codebase with this patch and find that the
> behavior they have come to rely on has changed.

  While I am concerned about changing behavior, that reject on
"response_window" happened ONLY for the first request to hit
"response_window".  All others continued to be proxied to the home
server, even when it was zombie.

  So the original behavior was arguably inconsistent, and wrong.

> Patch is attached to this e-mail.  Please let me know if you would like
> it sent somewhere else or in some other format.

  That's OK.  I've committed changes that:

a) allow response_window && zombie_period to be smaller

b) proxying prefers live home servers to zombie servers
   zombie servers are still used if there's no other choice.
   This improves the stability of proxying

c) response_window being hit now does nothing other than start
   the zombie period.  The first request that causes this is NOT
   rejected.  The old behavior can still be configured if desired.

d) documentation for all of the above.

  Alan DeKok.



More information about the Freeradius-Users mailing list