Eduroam & FreeRadius not working so well

Mike Diggins mike.diggins at mcmaster.ca
Thu Dec 6 03:19:10 CET 2012 

This is my proxy.conf. The only value I've adjusted so far is response 
window (from 20 down to 5). Otherwise, I believe it's configured correctly 
to failover between the two home servers. I'll have to work on the debugs.


proxy server {
         default_fallback        = yes
}

home_server proxy1 {
         type                    = auth+acct
         ipaddr                  = x.x.x.x
         port                    = 1812
         secret                  = xxxxxxxxxx
         response_window         = 5
         zombie_period           = 40
         revive_interval         = 60
         status_check            = status-server
         check_interval          = 30
         num_answers_to_alive    = 3
}

home_server proxy2 {
         type                    = auth+acct
         ipaddr                  = x.x.x.x
         port                    = 1812
         secret                  = xxxxxxxxxxxx
         response_window         = 5
         zombie_period           = 40
         revive_interval         = 60
         status_check            = status-server
         check_interval          = 30
         num_answers_to_alive    = 3
}

home_server_pool EDUROAM-FTLR {
         type                    = fail-over
         home_server             = proxy1
         home_server             = proxy2
}

realm mydomain.ca {
           strip
}

realm LOCAL {
           nostrip
}

realm NULL {
           nostrip
}

realm DEFAULT {
         pool = EDUROAM-FTLR
         nostrip
}

-Mike



On Wed, 5 Dec 2012, Alan Buxey wrote:

> Hi,
>
>> This is the RedHat RPM which I believe are maintained by RedHat.
>> Hopefully they've back ported any major security issues!
>
> got the changelog for the 2.1.12 RPM release you are running?
>
>> It does both autentication and proxy and I do have status-check
>> enabled. On the contraller I increased the default timeout from 2
>> seconds up to 8 seconds. At the same time I lowered the
>
> 2 seconds is very low for international RADIUS proxying...the traffic
> needs to get to the end site...and then be dealt with by the end site
> (which may take 1 - many seconds to actually authenticate the user
> once the tunnel is created). somewhere around 10 seconds is the maximum
> I would expect for global roaming authentication via multple proxy peers
>
> the RADIUS server is at the mercy of the controller and the remote sites...
> who might not be answering at all...they could just reject.
>
> I havent seen a sanity error message like that since the troublesome 2.1.7 - 2.1.9
> days when the proxy code got some rewrites in places.....
>
> I wonder if your proxy.conf for the home server stuff is correct and not
> flipping requests between remote proxys?
>
> what does the server show/say in full debug mode with a test remote account?
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list