'Using dhcpd as back-end for load-balanced RADIUS servers'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dhcp-server
Subject:    Using dhcpd as back-end for load-balanced RADIUS servers
From:       "Greger V. Teigre" <greger () teigre ! com>
Date:       2004-03-22 10:35:42
Message-ID: 00a901c40ff9$70931fe0$7b00a8c0 () axxessanywhere ! com
[Download RAW message or body]

   *** From dhcp-server -- To unsubscribe, see the end of this message. ***

I have not been able to find any documentation or discussions on this topic: 
We have two RADIUS servers authenticating dial-up and VPN users for access to \
corporate LANs. Each RADIUS server has a dhcpd server back-end serving IP address \
pools to its RADIUS server and the servers are geographically distributed.  (The \
RADIUS servers are Interlink Networks RAD-Ps.)  Load balancing is implemented by \
distributing load across the RADIUS servers.  Thus, once an access request reaches a \
RADIUS server, the RADIUS server and the dhcpd server MUST respond to the request. \
The RADIUS servers do not support redundant dhcpd servers and expect a given dhcpd \
server to respond. The dhcpd servers have been set up in failover mode with the \
failover protocol communicating across a VPN tunnel.

My problem has been the load balancing scheme as the standard failover/load balancing \
setup assumes that both dhcpd servers can hear and reply to a given request (unless \
one is down).  I have inspected the code to find a way to make both servers respond \
to ALL requests.  As far as I can see, the RADIUS servers will always send a \
DHCPDISCOVER with a (fake) MAC address calculated based on username.  The dhcpd \
server should preferably offer the same IP address within the lease time.  

From what I can see, a potential problem could be: If the user looses a connection, \
re-dials, and then the secondary RADIUS (and thus dhcpd) servers get the request, a \
new address is offered.  If many users do this, the address pool will run out.  We \
cannot use too short release times since we cannot use ping to check addresses and a \
user could still be connected when a lease is released.

As a test, we have configured the "load balancing max seconds" parameter to -1.  It \
seems to me (from tracing the code) that this will cause each server to always \
respond and give us what we want.   Questions:
1. Will this cause any problems that I cannot see? (especially with respect to \
address management) 2. I believe this is not a documented feature. Is there any other \
(better) way to accomplish this? 3. Any possibility of including such a "no \
load-balancing" setup as a supported and documented feature?

Best regards,
Greger Teigre

-----------------------------------------------------------------------
List Archives : http://www.isc.org/ml-archives/dhcp-server/
Unsubscribe   : http://www.isc.org/dhcp-lists.html    
-or-          : mailto:dhcp-server-request@isc.org?Subject=unsubscribe  
-----------------------------------------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic