Configuring FreeRADIUS Behind Azure Load Balancer - Health Probe Issue
nabble at felix.world
nabble at felix.world
Fri Feb 7 11:01:38 UTC 2025
It should also work with HAProxy(or any other ingress controller which is able to handle TCP routes and PROXY protocol).
I’ve just used it before and never had any issues with it, therefore also never searched for a alternative.
> Could you share more details on how you configured Traefik behind the Azure Load Balancer?
Add their CRDs to your cluster and add a IngressRouteTCP object.
>Did you just add the ingress?
A normal ingress is HTTP only.
> Are clients preserving their IP?
Yes. How this can be accomplished is different depending on the managed K8S provider. Have a look on the externalTrafficPolicy and yes you’ll also need PROXY Protocol to preserve the client IP from your ingress controller to the actual service/pod.
But just google on how you can preserve the actual client IP address in AKS.
BR,
Lineconnect
> On 7. Feb 2025, at 11:42, Luca Borruto <luca.borruto at agicap.com> wrote:
>
> Hi and thanks for your response,
> Currently I’m trying to configure FreeRADIUS without an ingress controller, just behind the Azure Load Balancer, however, since you got it working with Traefik I will try it (I'm using haproxy but don't mind switching to Traefik, it's a new cluster).
> I'm fairly new to k8s so I'm still on the learning side...
> Could you share more details on how you configured Traefik behind the Azure Load Balancer? Did you just add the ingress? Are clients preserving their IP? Do you need additional configuration on freeradius side?
> I came across this but not sure if that's related to what I want to achieve : https://www.freeradius.org/documentation/freeradius-server/3.2.7/howto/protocols/proxy/index.html
> Appreciate any insights you can provide,
>
> Le ven. 7 févr. 2025 à 10:54, <nabble at felix.world> a écrit :
> Hi Luca,
>
> What is your ingress controller to handle the TCP route?
> We’ve the same setup but with Traefik in front of FreeRADIUS which also solves your problem since Traefik will have the port open even if there is no radius server behind it.
> And in regards to the startup-probe for the container, you can add the node IP (where the probes will be send from) as environment variable to allow connections from it.
> Besides that I would use the K8S functionalities to ensure that the service is healthy like PDB, horizontal pod autoscaling etc.
>
> BR,
> Lineconnect
>
> > On 7. Feb 2025, at 09:20, Luca Borruto via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> >
> > Hello everyone,
> >
> > I am currently running FreeRADIUS v3.2.6 on K8S behind an Azure Load
> > Balancer, serving RadSec (TLS on TCP 2083) for wifi EAP authentication.
> >
> > The load balancer is configured with a TCP health probe on port 2083 to
> > verify the service’s availability (that's the way Azure LB works), the
> > issue is that FreeRADIUS does not seem to accept these health probe
> > requests. In the logs, I see messages like:
> >
> > Ignoring request to auth+acct proto tcp address * port 2083 (TLS)
> > bound to server default from unknown client 10.0.2.4 port 3286 proto
> > tcp
> >
> > The health probe originates from internal ALB IPs (e.g., 10.0.2.4,
> > 10.0.2.33). FreeRADIUS rejects them as unknown clients and as a result, the
> > load balancer marks the service as unhealthy and so, the traffic is not
> > achieved to the freeradius pods.
> >
> > I am looking for guidance on the recommended way to configure FreeRADIUS to
> > work behind an Azure Load Balancer:
> >
> > What is the best practice for handling this scenario? Any official
> > recommendations or insights from the community would be greatly appreciated.
> >
> > Best regards,
> > Luca Borruto
> > IT System Administrator
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>
> --
> Luca Borruto
> IT System Administrator
> luca.borruto at agicap.com
More information about the Freeradius-Users
mailing list