[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Sending authentication-requests to multiple radius-servers
From: Arran Cudbard-Bell <a.cudbardb () freeradius ! org>
Date: 2012-11-29 11:09:42
Message-ID: 8407B8A9-4EF4-45BC-83A1-736BF4F722CC () freeradius ! org
[Download RAW message or body]
On 29 Nov 2012, at 09:21, Stefan Kuegler <freeradius@kuegler.org> wrote:
> Hi Arran.
>
> > > You could also use rlm_replicate to duplicate the packet, but there's currently \
> > > no way of checking the aliveness of a realm at runtime, so you'd end up sending \
> > > duplicate requests to whatever the primary OTP server was.
> >
> > and that wouldn't help if you were actually wanting to authenticate the user \
> > instead of just performing some kind of synchronisation between the OTP servers.
> >
> Because we don't have any multicast-infrastructure, I will try rlm_replicate.
You can't setup a VLAN between the OTP servers and the RADIUS server? You don't need \
all the fancy IGMP/PIM stuff if you can get the devices in the same L2 domain.
> Do you have some information, which files do I have do modify ?
>
> Thanks for your help.
>
Sure, you use the control attribute Proxy-To-Realm to specify multiple realms to \
replicate to, and then call the replicate module.
update control {
Replicate-To-Realm := <foo>
Replicate-To-Realm += <bar>
}
replicate
Thinking about it you may be able to setup something like:
proxy.conf:
home_server otp0 {
type = acct
ipaddr = <foo>
port = 1812
secret = <bar>
}
home_server otp1 {
type = acct
ipaddr = <foo>
port = 1812
secret = <bar>
}
home_server_pool otp0 {
home_server = otp1
home_server = otp0
}
home_server_pool otp1 {
home_server = otp0
home_server = otp1
}
realm otp0 {
auth_pool = otp0
}
realm otp1 {
auth_pool = otp1
}
sites-available/default:
authorize {
update control {
Proxy-To-Realm := otp0
Replicate-To-Realm := otp1
}
replicate
}
IIRC home server state is tracked on a per homeserver basis (irrespective of pool), \
and proxy-to-realm and replicate-to-realm will only replicate to the first alive \
server in a given pool. So the above *may* do exactly what you want, with the caveat \
that the replicated packets won't be retransmitted if they're lost.
Should work ok in v2.x.x
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic