Re: [FreeRadius] Random port for proxy requests?
At 10:29 AM 8/25/2002 -0400, Tabor J. Wells wrote: >On Sun, Aug 25, 2002 at 12:09:10PM +0200, >Xavier Mertens <[EMAIL PROTECTED]> is thought to have said: > > > It's LVS (http://www.linuxvirtualserver.org) > > What do you recommand to load-balance RADIUS traffic? Any suggestion? > >I've used Alteon products (now owned by Nortel) to load balance my RADIUS >traffic at my last company. They are RADIUS aware and will do their health >checks by trying to do an auth against each real server behind the virtual >IPs. You should be able to load balance with any udp aware load balancer as long as you are not trying to proxy the requests from your systems to anywhere else. If you want to proxy from your systems, the situation becomes more complex as you need to keep some sort of state so that proxy replies are returned to the system that originally sent them. Or you need to start playing with different interfaces for inbound/outbound traffic ( so that your NAS see the radius behind the LB, but proxy traffic outbound takes a different source ip specific to each machine. A couple ways to do it, but you really have to have a solid understanding of the radius protocol and the implications of source addresses and how radius servers utilize the packet source to make decisions. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [FreeRadius] Random port for proxy requests?
On Sun, Aug 25, 2002 at 12:09:10PM +0200, Xavier Mertens <[EMAIL PROTECTED]> is thought to have said: > It's LVS (http://www.linuxvirtualserver.org) > What do you recommand to load-balance RADIUS traffic? Any suggestion? I've used Alteon products (now owned by Nortel) to load balance my RADIUS traffic at my last company. They are RADIUS aware and will do their health checks by trying to do an auth against each real server behind the virtual IPs. -- Tabor J. Wells [EMAIL PROTECTED] Fsck It! Just another victim of the ambient morality - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [FreeRadius] Re: [FreeRadius] Re: Random port for proxy requests?
Xavier Mertens <[EMAIL PROTECTED]> wrote: > It's LVS (http://www.linuxvirtualserver.org) > What do you recommand to load-balance RADIUS traffic? Any suggestion? No, sorry. I would probably recommend using a custom version of FreeRADIUS, as it knows about the RADIUS protocol. The LVS load-balancer appears to just load-balance random UDP packets, and probably doesn't even work with RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [FreeRadius] Re: [FreeRadius] Re: Random port for proxy requests?
It's LVS (http://www.linuxvirtualserver.org) What do you recommand to load-balance RADIUS traffic? Any suggestion? Xavier -- http://www.rootshell.be echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc On Fri, 23 Aug 2002, Alan DeKok wrote: > > Xavier Mertens <[EMAIL PROTECTED]> wrote: > > To be honest, I don't know why the load-balancer does not perform its job. > > Seems that it imagines that all requests from the same source port belong to > > the same session... :( > > Then it's not a RADIUS load balancer. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [FreeRadius] Re: Random port for proxy requests?
Your comments are rights. To be honest, I don't know why the load-balancer does not perform its job. Seems that it imagines that all requests from the same source port belong to the same session... :( Xavier -- http://www.rootshell.be echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc On Thu, 22 Aug 2002, Alan DeKok wrote: > > Xavier <[EMAIL PROTECTED]> wrote: > > My radiusd is used as a proxy and send request to a load-balancer (LVS). > > But all packets are forwarded with the same source port (8002) and the LVS is > > unable to load-balance. Any suggestion or a patch to generate a random port? > > Why would this be necessary? Why can't the load-balancer do > something intelligent? > > > In order for FreeRADIUS to send proxied requests from random ports, > it would have to open, and listen on, *many* sockets. This gets > expensive. It also doesn't add anything to the server, and just makes > it slower and more complicated. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Random port for proxy requests?
Xavier <[EMAIL PROTECTED]> wrote: > My radiusd is used as a proxy and send request to a load-balancer (LVS). > But all packets are forwarded with the same source port (8002) and the LVS is > unable to load-balance. Any suggestion or a patch to generate a random port? Why would this be necessary? Why can't the load-balancer do something intelligent? In order for FreeRADIUS to send proxied requests from random ports, it would have to open, and listen on, *many* sockets. This gets expensive. It also doesn't add anything to the server, and just makes it slower and more complicated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Random port for proxy requests?
Hi, I just installed a FreeRadius, works fine! Seems to be a very strong implementation of the RADIUS protocol. But, I already have a question. :) My radiusd is used as a proxy and send request to a load-balancer (LVS). But all packets are forwarded with the same source port (8002) and the LVS is unable to load-balance. Any suggestion or a patch to generate a random port? Xavier -- http://www.rootshell.be echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
