Question about SQL fail open in post-auth and keyed-balance use in load balancing configuration

John Douglass john.douglass at oit.gatech.edu
Mon Nov 24 16:48:33 CET 2014 

Question 1: I thought I once read how to add this "fail open" in regards
to using an SQL module. I have a table that gets updated after an auth,
but if the DB is slow or there is a network issue, I want it to go on.
It's not vital to auth the user, just using it as a "location update" of
sorts.

Is this the correct configuration for this behavior?

post-auth {
        redundant {
                sql_location
                handled
        }
}

Question 2: I am experimenting with load balancing. I read the comments
about keyed-balance:

 #  keyed-balance - the home server is chosen by hashing (FNV) the
contents of the Load-Balance-Key attribute from the control items.  The 
request is then sent to home server
    #    chosen by taking:
    #        server = (hash % num_servers_in_pool).
    #
    #    If there is no Load-Balance-Key in the control items, the load
balancing method is identical to "load-balance".
    #
    #    For most non-EAP authentication methods, The User-Name
attribute provides a good key.  An "unlang" policy can be used to copy
the User-Name to the Load-Balance-Key
    #    attribute.  This method may not work for EAP sessions, as the
User-Name outside of the TLS tunnel is often static, e.g. "anonymous at realm".

If the username is a bad choice, I figured that the Calling-Station-Id
(which in my case is the client MAC) would be a way to consistently have
the same Load-Balance-Key.

I am adding this to my server {} section:

    pre-proxy {
           update control {
              Load-Balance-Key := "%{Calling-Station-Id}"
           }
           updated
    }


But I am only seeing use of one of the defined proxy servers as defined
in my "home_server_pool {}" section when I force auth's to this server.
Would not expect every MAC address to hash to the same radius back end
given the variation of MAC addresses:

home_server = vm1
home_server = vm2

Is the above pre-proxy{} segment doing what I think it should do? Update
the Load-Balance-Key to the control before it hits the proxy segment?

Just want some confirmation that I am on the right track or I am going
about this wrong (or if what I'm trying is not a good idea/possible).

Thanks!
- John Douglass, Sr. Systems IT/Architect, Georgia Institute of Technology

More information about the Freeradius-Users mailing list