Group,
Recently, my AD servers were patched by another support group and this
caused a (small but noticeable) service outage for our WPA radius
services (Radius 2.1.9)
I am curious how others who are using AD as their backends have either
configured smb.conf/winbind/radius in order to do high availability for
authentications.
I do have configured:
smb.conf
password server = server1.ad.gatech.edu server2.ad.gatech.edu
But that didn't seem to help with failures. What I am seeing in the logs
(during outages such as these are)
Mar 3 06:47:55 dvlanb radiusd[17093]: Discarding duplicate request
from client My-WiSM port 32770 - ID: 95 due to unfinished request 466
Mar 3 06:47:55 dvlanb radiusd[17093]: Child PID 17274 is taking
too much time: forcing failure and killing child.
I am pretty certain this is from a non-responsive "ntlm_auth" call.
I have searched for options to winbind and ntlm_auth that might assist
in caching authentication requests so that slight hiccups like these do
not disturb our users.
I thought of possibly writing a custom "ntlm_auth" script that performs
a cache lookup and responds correctly as ntlm_auth regularly would and
if not valid cache entry, then try the real ntlm_auth command and then
add a cache entry.
Does someone have any suggestions on configuration changes on radius or
samba that might help?
from my sites-available/wpa-services file:
authorize {
# The preprocess module takes care of sanitizing some bizarre
attributes in
# the request, and turning them into attributes which are more
standard.
preprocess
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
eap {
ok = return
}
#
# Look in an SQL database. The schema of the database is meant to
mirror the "users" file.
sqlwpa
}
# Authentication.
authenticate {
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# Allow EAP authentication.
eap
}
Thanks in advance,
- John Douglass, Senior Systems Architect
Georgia Institute of Technology
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
