FreeRadius with Eduroam - Accounting
Mike Diggins
mike.diggins at mcmaster.ca
Fri Oct 14 15:33:45 CEST 2011
On Fri, 14 Oct 2011, Alan DeKok wrote:
> Mike Diggins wrote:
>> Accounting feature on the WLAN controllers (for now), I noticed that a
>> similar failure is a happening on the Authentication side. Some
>> authentication requests proxied to other radius servers (via Eduroam)
>> are either failing or taking a long time to respond, which also causes
>> my FreeRadius to mark the Home Server as DOWN. That also seems to cause
>> a chain reaction of backed up requests, causing my WLAN controllers to
>> failover the radius server.
>
> There's really very little you can do about that in RADIUS.
> FreeRADIUS figures out that a home server is down because it stops
> responding to requests.
>
> So if it stops responding... it looks like it's dead.
Does FreeRadius work synchronously only, so a slow response from one remote
server stops any other pending authentications from completing until that
first one is finished?
>
>> So, similar to my Accounting problem, is there anyway to prevent a
>> single Authentication failure from backing up the works!? Does FR answer
>> queries in sequence only? I don't really understand why this sort of
>> failure has such a nasty consequence.
>
> What, exactly, is the server supposed to do when the next hop isn't
> responding to packets? Is the next hop up? Is it down? How can you tell?
I'm not sure. If my assumption above is correct, then I don't see a good
solution. I'm thinking of a method like Squid proxy server, where a number
of authenticators are used, so one that's slow or fails doesn't affect
the others.
The only suggestion I can think of right now is to send the server-status
message to the next hop first before marking it dead. I think that would
be a safer assumption when proxying anyway.
>
> It's this kind of thing that makes me think keep-alives should become
> standard for eduroam. The extra few packets every couple of seconds are
> a small cost to pay for ensuring that authentication works.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-Mike
More information about the Freeradius-Users
mailing list