redundant-load-balance for AD ntlmauth

John Douglass john.douglass at oit.gatech.edu
Mon May 6 18:51:48 CEST 2013


I don't just call ntlm_auth Because I want to simulate the entire EAP 
request (as if it is another of my wireless controllers) and get regular 
logs from radius that the server is responding. If some (although it 
hasn't happened!) piece of my radius stack has a problem (say, the mysql 
connections break for some reason) I want a full restart of the service. 
Just testing authentication doesn't give me a full radius stack picture.

- John Douglass
Georgia Institute of Technology
Sr. Systems Architect

On 05/06/2013 12:25 PM, Phil Mayers wrote:
> On 06/05/2013 14:40, John Douglass wrote:
>
>>> ntlm_auth talks to winbind. Winbind maintains a single long-lived
>>> connection to a single AD controller.
>>>
>>> It can take anything up to 60 seconds for winbind to realise this
>>> connection has gone down, during which time all ntlm_auth will hang or
>>> fail. This has caused us problems on a number of occasions.
>>>
>>> So in fact, your approach is interesting to me; have you tested it
>>> e.g. by using iptables/ipfw to block access to an AD controller and
>>> seeing if it fails over?
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>
>> I wrote a script that does an eapol_test every minute. If it fails, it
>> immediately tries twice more. If THAT fails, then I restart winbind,
>> restart radius, and things continue on their happy way.
>
> That'll work too, although I wonder why you're not just calling 
> ntlm_auth?
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list