Question on dynamic home_server
Yushu Shi (yusshi)
yusshi at cisco.com
Wed Jun 15 00:37:10 UTC 2022
Thank you Alan and Michael for your replies.
Sadly this is what our customer demands. Their deployment has multiple regions. Each region has multiple RADIUS servers. For an individual NAS device, its primary and secondary region are resolved by DNS query based on the geographic location of the NAS. As NAS provider, we are required to do round-robin inside the primary region's server pool. When all servers in the primary region fail, we should fall back to the secondary region.
Looks like we have to use a separate process to resolve the IP address of all servers then change the config files. But I tried changing ipaddr of the home_server in proxy.conf, sending HUP signal to freeradius, but freeradius still proxy to the previous IP address. Looks like changing ipaddr of the home server does not work. Is this true?
Is there any way to fail-over between two home server pools?
On 6/14/22, 12:49 PM, "Alan DeKok" <aland at deployingradius.com> wrote:
On Jun 14, 2022, at 12:03 AM, Yushu Shi (yusshi) via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Need some help with using freeradius as a proxy to two radius server pools.
> The requirement is like below:
I agree with Michael here. This is not an appropriate use-case.
> * There are two server pools, identified with host names: primary.radius.myorg.com and secondary.radius.myorg.com.
> * DNS request to the two host names returns the IP addresses of several servers in the pool in a round robin fashion, i.e, “host primary.radius.myorg.com” command returns 3 IP addresses.
> * IP address of each server may get changed. Need to honor DNS TTL timer.
> * All auth requests should be directed to the hosts in the primary pool round robin, and only fail over to the secondary if all hosts behind the primary are unresponsive.
> Is there any way to accomplish these requirements without restarting the process? How should I create the home_server pools in proxy.conf to do this?
You can't do this, and you shouldn't do this.
DNS round robin is when you have many clients (e.g. thousands or more), and you want them to spread their connections across many back-end servers. This isn't the case with RADIUS.
With RADIUS, you have one RADIUS server. It knows how to spread it's packets across multiple back-ends.
This requirement won't do what you want, and it won't work with FreeRADIUS.
More information about the Freeradius-Users