Sending authentication-requests to multiple radius-servers
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Nov 28 22:17:03 CET 2012
On 28 Nov 2012, at 14:02, Stefan Kuegler <freeradius at kuegler.org> wrote:
> Hello.
>
> I have a short question:
> Is it possible to send an authentication-request from a client to multiple servers simultaneously ?
>
> +----------+
> /----->| radius A |
> +--------+ +--------------+ / +----------+
> | client |--->| radius proxy |X
> +--------+ +--------------+ \ +----------+
> \----->| radius B |
> +----------+
>
> We now authenticate with HMAC-based One Time Password Token (aka event-based token) from a Cisco ASA via radius to only one freeradius-server. But we want to establish a second authentication server for failover reasons.
>
> When using event based tokens, it's absolute necessary that every server receives the same authentication request simultaneously from the client to trigger the next "event" on the server side.
Is there really a requirement for the Authentication-Request to hit simultaneously, or just within a short period of time? Most OTP token systems do have a built in fudge period where the previous token code will still be accepted. If this is the case you should be able to tune failover period so that it occurs within the period and tune the retransmit times on the NAS so that it provides enough requests to trigger the failover.
Alternatively you can use multicast. There's some alpha code for v3 which Alan wrote a while back but has not been integrated. It allows you to listen on a multicast IP address for RADIUS packets and would allow you to do what you've described.
Let me know if you want to try this and i'll merge it into the main repo.
You could also use rlm_replicate to duplicate the packet, but there's currently no way of checking the aliveness of a realm at runtime, so you'd end up sending duplicate requests to whatever the primary OTP server was.
-Arran
More information about the Freeradius-Users
mailing list