[prev in list] [next in list] [prev in thread] [next in thread]
List: dhcp-server
Subject: Using dhcpd as back-end for load-balanced RADIUS servers
From: "Greger V. Teigre" <greger () teigre ! com>
Date: 2004-03-22 10:35:42
Message-ID: 00a901c40ff9$70931fe0$7b00a8c0 () axxessanywhere ! com
[Download RAW message or body]
*** From dhcp-server -- To unsubscribe, see the end of this message. ***
I have not been able to find any documentation or discussions on this topic:
We have two RADIUS servers authenticating dial-up and VPN users for access to \
corporate LANs. Each RADIUS server has a dhcpd server back-end serving IP address \
pools to its RADIUS server and the servers are geographically distributed. (The \
RADIUS servers are Interlink Networks RAD-Ps.) Load balancing is implemented by \
distributing load across the RADIUS servers. Thus, once an access request reaches a \
RADIUS server, the RADIUS server and the dhcpd server MUST respond to the request. \
The RADIUS servers do not support redundant dhcpd servers and expect a given dhcpd \
server to respond. The dhcpd servers have been set up in failover mode with the \
failover protocol communicating across a VPN tunnel.
My problem has been the load balancing scheme as the standard failover/load balancing \
setup assumes that both dhcpd servers can hear and reply to a given request (unless \
one is down). I have inspected the code to find a way to make both servers respond \
to ALL requests. As far as I can see, the RADIUS servers will always send a \
DHCPDISCOVER with a (fake) MAC address calculated based on username. The dhcpd \
server should preferably offer the same IP address within the lease time.
From what I can see, a potential problem could be: If the user looses a connection, \
re-dials, and then the secondary RADIUS (and thus dhcpd) servers get the request, a \
new address is offered. If many users do this, the address pool will run out. We \
cannot use too short release times since we cannot use ping to check addresses and a \
user could still be connected when a lease is released.
As a test, we have configured the "load balancing max seconds" parameter to -1. It \
seems to me (from tracing the code) that this will cause each server to always \
respond and give us what we want. Questions:
1. Will this cause any problems that I cannot see? (especially with respect to \
address management) 2. I believe this is not a documented feature. Is there any other \
(better) way to accomplish this? 3. Any possibility of including such a "no \
load-balancing" setup as a supported and documented feature?
Best regards,
Greger Teigre
-----------------------------------------------------------------------
List Archives : http://www.isc.org/ml-archives/dhcp-server/
Unsubscribe : http://www.isc.org/dhcp-lists.html
-or- : mailto:dhcp-server-request@isc.org?Subject=unsubscribe
-----------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic