FreeRadius with Eduroam - Accounting

Mike Diggins mike.diggins at mcmaster.ca
Thu Oct 13 19:47:49 CEST 2011 

On Tue, 4 Oct 2011, Mike Diggins wrote:

>
> I'm running FreeRadius 2.1.3 on RedHat Enterprise Linux configured as an 
> Eduroam Radius proxy server. My Cisco Wireless Lan Controllers are constantly 
> failing over the Accounting Servers, due to lack of response from the Home 
> Servers, or so says the log. However, I believe the issue is that some remote 
> institutions Radius Servers are ignoring the Accounting packets, and timing 
> out my end, making it believe the Home Servers have failed to respond. 
> FreeRadius responds by marking the Home server dead. It then sends a 
> status-server query, to which is gets a reply, and enables the Dead Home 
> server. I believe that's the sequence of events anyway. I captured some of 
> that in debug mode:
>
> Rejecting request 288 due to lack of any response from home server x.x.x.x 
> port 1813
>
> Finished request 288.
>
> Cleaning up request 288 ID 205 with timestamp +1161
>
> PROXY: Marking home server x.x.x.x port 1813 as zombie (it looks like it is 
> dead).
>
> Sending Status-Server of id 55 to x.x.x.x port 1813
>        Message-Authenticator := 0x00000000000000000000000000000000
>        NAS-Identifier := "Status Check. Are you alive?"
> Waking up in 3.9 seconds.
>
> rad_recv: Access-Accept packet from host x.x.x.x port 1813, id=55, length=806
>
> I don't have any control over Accounting Packets being accepted, or not, by 
> other Eduroam members. Some do, some don't I imagine. Is there a 
> configuration for FreeRadius that handles this situation cleanly? Seems to me 
> that FR should check the Home server first, before marking it dead (at 
> least).

Accounting feature on the WLAN controllers (for now), I noticed that a 
similar failure is a happening on the Authentication side. Some 
authentication requests proxied to other radius servers (via Eduroam) are 
either failing or taking a long time to respond, which also causes my 
FreeRadius to mark the Home Server as DOWN. That also seems to cause a 
chain reaction of backed up requests, causing my WLAN controllers to 
failover the radius server.

So, similar to my Accounting problem, is there anyway to prevent a single 
Authentication failure from backing up the works!? Does FR answer queries 
in sequence only? I don't really understand why this sort of failure has 
such a nasty consequence.

-Mike

More information about the Freeradius-Users mailing list