Re: [RADIATOR] Loadbalancing requests from Proxy

2013-05-10 Thread Michael Hulko 
Thanks for the suggestion.. this seems to alleviate the timeouts that I had 
noticed previously. (Log file was sent separately).  

MH



On 2013-05-10, at 5:26 AM, Heikki Vatiainen wrote:

> On 05/09/2013 11:09 PM, Michael Hulko wrote:
>> We have been requested to try and loadbalance requests to a Campus
>> department with their own Radius (IAS) server for their wireless users.
> 
> Hello Michael,
> 
> you mentioned campus and wireless LAN which makes me think there is EAP,
> such as PEAP or TTLS, involved.
> 
> If so, you would need to use  to make sure the EAP
> authentication sessions are always handled by the same IAS server.
> Otherwise you will see failures and timeouts when the IAS servers
> receive requests they are not expecting.
> 
> The Trace 4 log was not included, but I'd first check how it works with
> EAPBALANCE.
> 
> Thanks,
> Heikki
> 
> -- 
> Heikki Vatiainen 
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



Michael Hulko
Network Analyst

Western University Canada
Network Operations Centre
Information Technology Services
1393 Western Road, SSB 3300CC
London, Ontario  N6G 1G9

tel: 519-661-2111 x81390
e-mail: mihu...@uwo.ca 





___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Unexpected behavior with UseStatusServerForFailureDetect in AuthBy LOADBALANCE

2013-05-10 Thread Todor Genov 
Hi Heikki,

Excerpts from Heikki Vatiainen's message of Fri May 10 15:55:22 +0200 2013:
> Since you have not specified FailureBackoffTime it defaults to 0 and
> might be the cause of the problem you see.

Even with a "FailureBackoffTime 300" the problem is reproducible. For now I'll 
revert to using the default failure detection mechanism. 

Here's logs of a packet stuck in re-transmit with 
UseStatusServerForFailureDetect:

*** Sending to 127.0.0.1 port 1824 
Code:   Accounting-Request
Identifier: 169
Authentic:  <215><135><238><164><229><163>`r<8><29><12>E6c8<186>
Attributes:
User-Name = "a"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "1234"
Acct-Status-Type = Start
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Timestamp = 1368196514
Proxy-State = OSC-Extended-Id=169

Fri May 10 16:43:39 2013: INFO: AuthRADIUS : No reply after 505 seconds and 3 
retransmissions to 127.0.0.1:1824 for a (135)

and without UseStatusServerForFailureDetect:

Fri May 10 16:52:12 2013: WARNING: ProxyAlgorithm LOADBALANCE Could not find a 
working host to proxy to
Fri May 10 16:52:12 2013: INFO: AuthRADIUS : Could not find a working host to 
forward a (4) after 4 seconds. Ignoring
Fri May 10 16:52:12 2013: INFO: AuthRADIUS : No reply after 4 seconds and 3 
retransmissions to 127.0.0.1:1824 for a (129). Now have 1 consecutive failures 
over 0 seconds. Backing off for 300 seconds

--
todor
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Unexpected behavior with UseStatusServerForFailureDetect in AuthBy LOADBALANCE

2013-05-10 Thread Heikki Vatiainen 
On 05/10/2013 02:33 AM, Todor Genov wrote:

> I have found an issue where the "Retries" clause is ignored when using 
> UseStatusServerForFailureDetect with "AuthBy LOADBALANCE".

Hello Todor,

We have recently received reports about Status-Server probing and there
appears to be some issues that require a further look from us.

However, before doing anything else, please check the reference manual
for 'FailureBackoffTime' and especially this note:

   Caution: with most types of load balancing modules, the
   default of 0 will mean endless retransmission of each
   request until a reply is received.

Since you have not specified FailureBackoffTime it defaults to 0 and
might be the cause of the problem you see.

Thanks,
Heikki

> In a scenario where a downstream proxy becomes unresponsive requests enter a 
> re-transmit loop until the next Status-Server keepalive detects the host has 
> failed and only then requests are ignored.
> 
> To replicate use the following config:
> 
> 
> 
> Retries 3
>   RetryTimeout 1
> UseStatusServerForFailureDetect
>   KeealiveTimeout 300
>   NoreplyTimeout 1
> 
> AuthPort 1822
> AcctPort 1823
> 
> 
> 
> 
> A single Access-Request is re-transmitted 300 ( KeepaliveTimeout/RetryTimeout 
> ) times instead of 3. Once the request is eventually ignored the following 
> can be seen in the logs: 
> 
> Fri May 10 01:19:33 2013: INFO: AuthRADIUS : Could not find a working host to 
> forward a (76) after 301 seconds. Ignoring
> Fri May 10 01:19:33 2013: INFO: AuthRADIUS : No reply after 301 seconds and 3 
> retransmissions to 127.0.0.1:1822 for a (227)
> 
> When using the same config with "AuthBy RADIUS" the behavior is as expected 
> and the request is re-transmitted only three times then ignored:
> 
> Fri May 10 01:08:41 2013: INFO: AuthRADIUS : Could not find a working host to 
> forward a (1) after 4 seconds. Ignoring
> Fri May 10 01:08:41 2013: INFO: AuthRADIUS : No reply after 4 seconds and 3 
> retransmissions to 127.0.0.1:1822 for a (129)
> 
> Thanks.
> 
> --
> todor
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Loadbalancing requests from Proxy

2013-05-10 Thread Heikki Vatiainen 
On 05/09/2013 11:09 PM, Michael Hulko wrote:
> We have been requested to try and loadbalance requests to a Campus
> department with their own Radius (IAS) server for their wireless users.

Hello Michael,

you mentioned campus and wireless LAN which makes me think there is EAP,
such as PEAP or TTLS, involved.

If so, you would need to use  to make sure the EAP
authentication sessions are always handled by the same IAS server.
Otherwise you will see failures and timeouts when the IAS servers
receive requests they are not expecting.

The Trace 4 log was not included, but I'd first check how it works with
EAPBALANCE.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator