freeradius2 Proxy fail-over issues

Emmett Culley emmett at webengineer.com
Tue May 26 01:45:42 CEST 2009 

I just upgraded one of our CentOS 5 systems from FreeRadius 1.x to FreeRadius 2.1.6.  It was all working before the upgrade and I have it working on the new version.  That is, by using the deprecated authhost and accthost variables in the realm definition I can successfully authenticate and process accounting with the new version.

However, as soon as I attempt to define a set of main and backup servers, then use the auth_pool and acct_pool variables I get the following error:

"Ignoring spoofed proxy reply.  Signature is invalid"

Here is a status query that results in the error, like any other query:

Sending Access-Request of id 136 to x.x.x.x port 1812
       User-Name := ""
       User-Password := ""
       Service-Type := Authenticate-Only
       Message-Authenticator := 0x00000000000000000000000000000000
       NAS-Identifier := "Status Check. Are you alive?"
Waking up in 3.9 seconds.
rad_recv: Access-Reject packet from host x.x.x.x port 1812, id=136, length=64
Ignoring spoofed proxy reply.  Signature is invalid

Of course, the main reason I upgraded at all was to be able to define a pool of servers.  I've searched Google and cannot find any references to this issue.  Here is the proxy.conf lines that matter:

home_server my_rlm_auth {
       ipaddr = x.x.x.x
       port = 1812
       type = "auth"
       secret = "bignewsecret"
       response_window = 30
       max_outstanding = 65536
       zombie_period = 40
       status_check = "none"
       ping_check = "none"
#        ping_interval = 30
#        check_interval = 30
#        num_answers_to_alive = 3
#        num_pings_to_alive = 3
       revive_interval = 300
       status_check_timeout = 4
}
home_server my_rlm_acct {
       ipaddr = x.x.x.x
       port = 1813
       type = "acct"
       secret = "bignewsecret"
       response_window = 30
       max_outstanding = 65536
       zombie_period = 40
       status_check = "none"
       ping_check = "none"
#        ping_interval = 30
#        check_interval = 30
#        num_answers_to_alive = 3
#        num_pings_to_alive = 3
       revive_interval = 300
       status_check_timeout = 4
}

server_pool my_rlm_auth_pool {
       type = fail-over
       home_server = my_rlm_auth
#        home_server = Primary_my_rlm_auth
#        home_server = Secondary_my_rlm_auth
}
server_pool my_rlm_acct_pool {
       type = fail-over
       home_server = my_rl_acct
#        home_server = Primary_my_rlm_acct
#        home_server = Secondary_my_rlm_acct
}
realm my_rlm {
	nostrip
	auth_pool = my_rlm_auth_pool
	acct_pool = my_rlm_acct_pool
#  authhost = x.x.x.x:1812
#  accthost = x.x.x.x:1813
#  secret = "bignewsecret"
 type = radius
}

Any ideas or pointers?

Regards,
Emmett

More information about the Freeradius-Users mailing list