FreeRadius with Eduroam - Accounting

Mike Diggins mike.diggins at mcmaster.ca
Fri Oct 14 15:33:45 CEST 2011


On Fri, 14 Oct 2011, Alan DeKok wrote:

> Mike Diggins wrote:
>> Accounting feature on the WLAN controllers (for now), I noticed that a
>> similar failure is a happening on the Authentication side. Some
>> authentication requests proxied to other radius servers (via Eduroam)
>> are either failing or taking a long time to respond, which also causes
>> my FreeRadius to mark the Home Server as DOWN. That also seems to cause
>> a chain reaction of backed up requests, causing my WLAN controllers to
>> failover the radius server.
>
>  There's really very little you can do about that in RADIUS.
> FreeRADIUS figures out that a home server is down because it stops
> responding to requests.
>
>  So if it stops responding... it looks like it's dead.

Does FreeRadius work synchronously only, so a slow response from one remote 
server stops any other pending authentications from completing until that 
first one is finished?

>
>> So, similar to my Accounting problem, is there anyway to prevent a
>> single Authentication failure from backing up the works!? Does FR answer
>> queries in sequence only? I don't really understand why this sort of
>> failure has such a nasty consequence.
>
>  What, exactly, is the server supposed to do when the next hop isn't
> responding to packets?  Is the next hop up?  Is it down?  How can you tell?

I'm not sure. If my assumption above is correct, then I don't see a good 
solution. I'm thinking of a method like Squid proxy server, where a number 
of authenticators are used, so one that's slow or fails doesn't affect 
the others.

The only suggestion I can think of right now is to send the server-status 
message to the next hop first before marking it dead. I think that would 
be a safer assumption when proxying anyway.


>
>  It's this kind of thing that makes me think keep-alives should become
> standard for eduroam.  The extra few packets every couple of seconds are
> a small cost to pay for ensuring that authentication works.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

-Mike



More information about the Freeradius-Users mailing list