auto scaling freeradius instance on openshift and state-ID problem

work vlpl thework.vlpl at gmail.com
Sun Oct 29 15:48:03 UTC 2023


On Sat, 28 Oct 2023 at 15:22, Mesut GULNAZ <mesutgl at gmail.com> wrote:

>
> when I auto-scale the freeradius to more than 1, openshift platform is
> unable to send the response coming from the client side with state-ID to
> the correct radius POD.



I guess you are trying to use some "standard" UDP load balancer (or
controller IIRC how it is named) on k8s cluster from OpenShift. I know
nothing about it but I think it assumes that any server behind load
balancer is always equal and does not store any state, therefore it
assumes that any request will be served correctly.
In simple cases when the radius server can get all the necessary
information to make a decision about authentication from 1 incoming
radius packer this will work.
But in cases when authentication requires many roundtrips between the
radius client and radius server, for example during EAP authentication
and checking SSL cert, the load balancer has to send all packets in
"session" to the same radius server. Other servers behind LB simply
will not have enough information to continue establishing EAP "tunnel"
and will abort authentication.

If you have many radius clients that send packets to k8s load
balancer, you can try to configure the load balancer to use a
combination of IP + src port as a hash key that will be used to route
all incoming packets to the same server behind LB.
If you have only 1 client and want to use LB to be able to spread load
between many servers behind LB, you probably need to find LB that can
read/parse radius protocol and for example use Calling-Station-ID
attribute as a hash key to route traffic to the same radius server
behind LB.


More information about the Freeradius-Users mailing list