Radius proxy
srithar jeevadurai
srijeevadurai1 at gmail.com
Tue Dec 15 07:43:38 CET 2015
Hi Alan,
thanks a lot for your reply.
I thought of redesigning our application with below approach, Can you pls
let me know whether it is possible with freeradius proxy approach?
1) Proxy will handle only auth request and allocate IP for auth request
while reply to NAS. Then put session id into session map.
2) if it is accounting request then it will check whether the session
already opened via auth request by checking session map.
3) if the session already available in session map then proxy server to
forward the same to home server(s) using round robin (load balancing). By
default proxy server does the same.
To do following things at proxy server, we thought of adding a customized
module with proxy server.
rlm_mymodule:
1) It will allocate IP address from free pool of IPs for auth request.
2) keep session detail in session map (while handling auth request).
3) if the request is accounting request then before forwarding it to home
server, it checks whether the session available in session map and return
RLM_OK if it is available (so that it will forward it to home server) else
it will reply RLM_UPDATE (so that it will not forward it to home server(s)).
4) If the request is a stop request then it will free the IP address
allocated (while replying to auth request) and free session detail from
session map.
On Mon, Dec 14, 2015 at 8:58 PM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Dec 14, 2015, at 10:21 AM, srithar jeevadurai <srijeevadurai1 at gmail.com>
> wrote:
> > Radius proxy is one instance of radiusd binary and each home server (1-n)
> > is one instance of radiusd binary. so totally n+1 radius binary will be
> > running on same host if we go with proxy approach.
>
> That works, but isn't necessarily the best approach.
>
> > Proxy server while doing load balancing, does it follow below rule?
>
> It follows the rules documented in proxy.conf. Please read it. Look
> for "fail-over" in the "home-server-pool" section.
>
> > If a session's first request i.e. auth has been forwarded to a home
> server
> > 1 then all subsequent request of same session will be forwarded to same
> > home instance of home server or it will be forwarded using round robin
> > style.
>
> All retransmits will go to the same home server. Anything else is a
> *very* bad idea.
>
> > If it is round robin and we are using a customized module to trace
> sessions
> > then it would not work since session created with home server 1 and sub
> > sequence request for the session may go to another home server.
>
> Exactly.
>
> Some load-balancers implement round robin. This is stupid and broken,
> and causes problems.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Regards,
Srithar Durairaj
Alternate Mail I.D: srijeevadurai1 at yahoo.co.in
Mobile: +919886251852
More information about the Freeradius-Users
mailing list