Sam Schultz wrote: > According to my research, FreeRADIUS supposedly does work from > behind an LVS load balancer. My current configuration works > perfectly outside of the LVS, but once it is put behind the LVS it > ceases to work. Connections seem to succeed even behind the LVS, > until they get to an access challenge, where I get: > > rad_recv: Access-Challenge packet from host 192.168.240.111:5058, > id=42, length=64 Authentication reply packet code 11 sent to a non- > proxy reply port from client WPA_Test:5058 - ID 42 : IGNORED
Somehow Access-Challenge packets are being sent to the RADIUS server. This could be because some UDP-level routing is incorrect in LVS. >>From what little information I could find on this, it looks like > the freeradius thinks these are proxied requests due to ip mangling > done by the LVS load balancer (Basically, it's a 1:1 NAT). Even if the LVS load balancer is doing IP mangling, it has no business sending Access-Challenges to a RADIUS server on port 1812. Those challenges are sent FROM the server, and should have been sent back to the NAS. A larger problem with LVS is that if you're doing Access-Challenges, the responses MUST go back to the RADIUS server that sent the challenge. So a UDP-level load balancer that doesn't understand RADIUS may not work. > P.S. Alan, I would definitely think this (LVS + FreeRADIUS) would > be a good topic for your book I plan on having a chapter on that, yes. I've been trying to get Xen installed on a machine, without much luck. (Xen gets part way through booting... stops... and reboots). As for your other message: > I was thinking there may be some way to coerce FR into > thinking the load balancer is another radius server sending over > proxied requests, or something like that. The simplest way to do that is (perhaps not surprisingly) to run FreeRADIUS as a proxy, doing RADIUS-aware load balancing. Since that machine won't be doing authentication (DB's are slow), there's no reason it can't handle proxying 5k RADIUS requests/s. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html