Sending authentication-requests to multiple radius-servers

Stefan Kuegler freeradius at kuegler.org
Sat Dec 1 15:50:22 CET 2012 

Hi Arran.

>>>> You could also use rlm_replicate to duplicate the packet, but there's currently no way of checking the aliveness of a realm at runtime, so you'd end up sending duplicate requests to whatever the primary OTP server was.
>>>
>>> and that wouldn't help if you were actually wanting to authenticate the user instead of just performing some kind of synchronisation between the OTP servers.
>>>
>>>
>> Because we don't have any multicast-infrastructure, I will try rlm_replicate.
>
> You can't setup a VLAN between the OTP servers and the RADIUS server? You don't need all the fancy IGMP/PIM stuff if you can get the devices in the same L2 domain.
No, not really. The 2nd server is about 250km away :-)

> Sure, you use the control attribute Proxy-To-Realm to specify multiple realms to replicate to, and then call the replicate module.
>
> update control {
> 	Replicate-To-Realm := <foo>
> 	Replicate-To-Realm += <bar>
> }
>
> replicate
>
> Thinking about it you may be able to setup something like:
>
> proxy.conf:
> home_server otp0 {
>          type = acct
>          ipaddr =  <foo>
>          port = 1812
>          secret = <bar>
> }
>
> home_server otp1 {
>          type = acct
>          ipaddr =  <foo>
>          port = 1812
>          secret = <bar>
> }
>
> home_server_pool otp0 {
>          home_server = otp1
> 	home_server = otp0
> }
>
> home_server_pool otp1 {
>          home_server = otp0
> 	home_server = otp1
> }
>
> realm otp0 {
>          auth_pool = otp0
> }
>
> realm otp1 {
>          auth_pool = otp1
> }
>
> sites-available/default:
> authorize {
> 	update control {
> 		Proxy-To-Realm := otp0
> 		Replicate-To-Realm := otp1
> 	}
>
> 	replicate
> }
>
> IIRC home server state is tracked on a per homeserver basis (irrespective of pool), and proxy-to-realm and replicate-to-realm will only replicate to the first alive server in a given pool. So the above *may* do exactly what you want, with the caveat that the replicated packets won't be retransmitted if they're lost.
>
> Should work ok in v2.x.x

I will try.

Thanks a lot.

Stefan

More information about the Freeradius-Users mailing list