'Re: Sending authentication-requests to multiple radius-servers'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Sending authentication-requests to multiple radius-servers
From:       Arran Cudbard-Bell <a.cudbardb () freeradius ! org>
Date:       2012-11-29 11:09:42
Message-ID: 8407B8A9-4EF4-45BC-83A1-736BF4F722CC () freeradius ! org
[Download RAW message or body]


On 29 Nov 2012, at 09:21, Stefan Kuegler <freeradius@kuegler.org> wrote:

> Hi Arran.
> 
> > > You could also use rlm_replicate to duplicate the packet, but there's currently \
> > > no way of checking the aliveness of a realm at runtime, so you'd end up sending \
> > > duplicate requests to whatever the primary OTP server was.
> > 
> > and that wouldn't help if you were actually wanting to authenticate the user \
> > instead of just performing some kind of synchronisation between the OTP servers. 
> > 
> Because we don't have any multicast-infrastructure, I will try rlm_replicate.

You can't setup a VLAN between the OTP servers and the RADIUS server? You don't need \
all the fancy IGMP/PIM stuff if you can get the devices in the same L2 domain.

> Do you have some information, which files do I have do modify ?
> 
> Thanks for your help.
> 

Sure, you use the control attribute Proxy-To-Realm to specify multiple realms to \
replicate to, and then call the replicate module.

update control {
	Replicate-To-Realm := <foo>
	Replicate-To-Realm += <bar>
}

replicate

Thinking about it you may be able to setup something like:

proxy.conf:
home_server otp0 {
        type = acct
        ipaddr =  <foo>
        port = 1812
        secret = <bar>
}

home_server otp1 {
        type = acct
        ipaddr =  <foo>
        port = 1812
        secret = <bar>
}

home_server_pool otp0 {
        home_server = otp1
	home_server = otp0
}

home_server_pool otp1 {
        home_server = otp0
	home_server = otp1
}

realm otp0 {
        auth_pool = otp0
}

realm otp1 {
        auth_pool = otp1
}

sites-available/default:
authorize {
	update control {
		Proxy-To-Realm := otp0
		Replicate-To-Realm := otp1
	}

	replicate
}

IIRC home server state is tracked on a per homeserver basis (irrespective of pool), \
and proxy-to-realm and replicate-to-realm will only replicate to the first alive \
server in a given pool. So the above *may* do exactly what you want, with the caveat \
that the replicated packets won't be retransmitted if they're lost.

Should work ok in v2.x.x

-Arran

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic