Load Balancing EAP with freeradius...
Robert Roll
Robert.Roll at utah.edu
Thu Mar 24 13:16:23 CET 2011
Thanks,
The following seems to work pretty well for us.
authorize {
update control {
# Load-Balance-Key := "%{NAS-IP-Address} %{NAS-Port} %{User-Name} %{Calling-Station-ID}"
Load-Balance-Key := "%{Calling-Station-ID}"
}
I had taken a snap shot of unique client-mac addresses we
encountered over about a 3 month period. That came to 28,874.
Doing a test with balancing off of the client-mac addresses, the hash
seems to create nearly equal "buckets". My test was with 4 backend
servers behind a load balancer...
Again thanks,
Robert
________________________________________
From: freeradius-users-bounces+robert.roll=utah.edu at lists.freeradius.org [freeradius-users-bounces+robert.roll=utah.edu at lists.freeradius.org] On Behalf Of Alexander Clouter [alex at digriz.org.uk]
Sent: Thursday, March 24, 2011 4:15 AM
To: freeradius-users at lists.freeradius.org
Subject: Re: Load Balancing EAP with freeradius...
Robert Roll <Robert.Roll at utah.edu> wrote:
>
> I'd like to try load balancing EAP/PEAP/MSCHAPV2 using freeradius. I
> looked at the proxy.conf and it seems that there are two options,
> because you have to insure the same end client talks to the same
> radius server. There seems to be client-balance that uses IP source
> addresses and there is Load-Balance-Key something like
>
> update control {
> Load-Balance-Key := "%{NAS-IP-Address} %{NAS-Port} %{User-Name} %{Calling-Station-ID}"
> }
>
> Currently, we have a Radiator server that uses client mac-addresses for this purpose. If I do
> want to use the Load-Balance-Key, I'm honestly not sure where to put the update of the
> Load-Balance-Key.. Does it go in the proxy.conf ?
>
Straight into your 'authorize' section, as close to the top as you
like/can. The following is roughly what we use, we only do it for
'Realm == DEFAULT' as that is for our 'eduroam'ing userbase:
----
authorize {
preprocess
suffix
[unlang/policy that is used for *all* packets]
eap {
ok = return
}
# done after eap so we find can record what guests are using
if (Realm == DEFAULT) {
update control {
Load-Balance-Key := "%{NAS-IPv6-Address} %{NAS-IP-Address} %{NAS-Port} %{User-Name} %{Calling-Station-Id}"
}
# break out of 'authorize' early to spare CPU cycles
handled
}
[unlang/policy that is used for all *non-proxied* packets]
}
----
Cheers
--
Alexander Clouter
.sigmonster says: People who push both buttons should get their wish.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list