Failover with Active Directory
Alan DeKok
aland at deployingradius.com
Mon Aug 17 13:22:35 CEST 2020
On Aug 17, 2020, at 2:16 AM, Robert Miller <miller.robertw at outlook.com> wrote:
> I have been doing a lot of research and reading to set up freeradius to work with my situation. The final issue I'm not able to solve is failover. It seems when I test by disabling the network card on one of my Active Directory servers, freeradius no longer works correctly. When watching the debug it is usually super quick, when one AD is down the debug is really slow. I believe that it being slow is the reason why the authorizations fail, they timeout. As soon as I bring either one of the downed ADs back online it works well.
From mods-available/ldap:
# Seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
This also works for connections.
But to be realistic, that timeout might not work on older versions of libldap before 2.4. And there's very little that we can do to fix it. FreeRADIUS doesn't implement the LDAP protocol. Instead it relies on the OpenLDAP libldap libraries. And if those libraries don't time out quickly enough, we can't do much about it.
The short answer is that if RADIUS is critical for network access, you MUST ensure that RADIUS and all of things it needs are up and running.
Alan DeKok.
More information about the Freeradius-Users
mailing list