Re: [RADIATOR] How to combine HASHBALANCE with AuthBy RadSec?

2015-10-30 Thread Heikki Vatiainen 
On 14.9.2015 13.36, Tuure Vartiainen wrote:

>> On 09/08/2015 11:12 AM, Tuure Vartiainen wrote:
>>> We’ll add a Gossip support for RadSec later, probably to 4.16 patches, and 
>>> look
>>> into implementing equivalent balancing support for RadSec as what there is 
>>> currently
>>> for RADIUS:
>>>
>>> AuthEAPBALANCE.pm
>>> AuthHASHBALANCE.pm
>>> AuthLOADBALANCE.pm
>>> AuthVOLUMEBALANCE.pm
>>> AuthROUNDROBIN.pm
>>> AuthRADIUSBYATTR.pm
>>
>> Do you have time plan for this?
>>
>> I'm interested in early access to that code, I can offer my time for 
>> betatesting. I know Perl so I can also debug problems if necessary.
>>
>
> Not currently, I’ll get back to this after 4.16 has been released.

AuthBy RADSEC Gossip support is now in 4.16 patches. It's a little 
different from AuthBy RADIUS. Main things are:

1) Messages looped back from Gossip can be handled by the sender radiusd 
instance. Only the AuthBy RADSEC clause that originated the report will 
ignore. With RADIUS, the looped back report was ignored by the 
originating radiusd.

This allows the same radiusd instance have the same next hop defined in 
multiple AuthBys while allowing the other AuthBys to see the change in 
next hop reachability.

2) Next hop is recognised by its configured name and port. Using  as an example, if the report tells a.example.com:2083 is 
down, that's enough. The exact IP address that just became unreachable 
does not need to match. With RADIUS, multihomed hosts were marked down 
only if the report had matching IP.

The idea behind this is that the radiusd instances that share 
information should be configured similarly so that 'a.example.com' means 
the same next hop instance for each radiusd no matter which IP address 
they got from the DNS.

Change 1) is likely something that AuthBy RADIUS could benefit from too. 
Change 2) might be more useful for RadSec than plain RADIUS proxying?

What comes to the proxy algorithms, there's nothing in the patches yet. 
We thought about adding them as configuration options instead of 
creating separate modules. Most of the differences are just in 
overriding the next hop selection algorithm for correct balancing.

Any comments and suggestions are welcome. The proxy algorithm changes 
should start appearing in 4.16 patches soon.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] How to combine HASHBALANCE with AuthBy RadSec?

2015-09-14 Thread Tuure Vartiainen 
Hi,

> On 11 Sep 2015, at 12:08, Jan Tomasek  wrote:
> 
> On 09/08/2015 11:12 AM, Tuure Vartiainen wrote:
>> We’ll add a Gossip support for RadSec later, probably to 4.16 patches, and 
>> look
>> into implementing equivalent balancing support for RadSec as what there is 
>> currently
>> for RADIUS:
>> 
>> AuthEAPBALANCE.pm
>> AuthHASHBALANCE.pm
>> AuthLOADBALANCE.pm
>> AuthVOLUMEBALANCE.pm
>> AuthROUNDROBIN.pm
>> AuthRADIUSBYATTR.pm
> 
> Do you have time plan for this?
> 
> I'm interested in early access to that code, I can offer my time for 
> betatesting. I know Perl so I can also debug problems if necessary.
> 

Not currently, I’ll get back to this after 4.16 has been released.


BR
-- 
Tuure Vartiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] How to combine HASHBALANCE with AuthBy RadSec?

2015-09-11 Thread Jan Tomasek 
Hi,

On 09/08/2015 11:12 AM, Tuure Vartiainen wrote:
>> But I need to forward auth requests to RadSec not RADIUS hosts. Is it
>> possible somehow?
>>
>
> Unfortunately, HASHBALANCE only works with AuthBy RADIUS, as it inherits from
> AuthBy RADIUS and just overrides the chooseHost() function.
>
> Same functionality could be achieved by running three instances of Radiator
> on a same host, where first uses HASHBALANCE to proxy UDP RADIUS requests to
> other instances which proxy requests with RadSec:
>
>  --2nd Radiator--RadSec-->
> |
> 1st Radiator--HASHBALANCE--
> |
>  --3rd Radiator--RadSec-->

this disables Server-Status based detection of failed peer - this is 
quite usefull.

> Or by creating a new AuthHASHBALANCERADSEC.pm based on AuthHASHBALANCE.pm, but
> which inherits from AuthRADSEC :)

I've spend some time with source code. AuthHASHBALANCE itself is prety 
easy, but AuthRADSEC inherits from AuthGeneric not from AuthRADIUS. And 
AuthRADIUS contains a lot of Gossip related code. Which is another 
feature I'm interested in.

> Currently Gossip notifications only work with AuthBy RADIUS.
>
> We’ll add a Gossip support for RadSec later, probably to 4.16 patches, and 
> look
> into implementing equivalent balancing support for RadSec as what there is 
> currently
> for RADIUS:
>
> AuthEAPBALANCE.pm
> AuthHASHBALANCE.pm
> AuthLOADBALANCE.pm
> AuthVOLUMEBALANCE.pm
> AuthROUNDROBIN.pm
> AuthRADIUSBYATTR.pm

Do you have time plan for this?

I'm interested in early access to that code, I can offer my time for 
betatesting. I know Perl so I can also debug problems if necessary.

-- 
---
Jan Tomasek aka Semik
http://www.tomasek.cz/
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] How to combine HASHBALANCE with AuthBy RadSec?

2015-09-08 Thread Tuure Vartiainen 
Hi,

> On 07 Sep 2015, at 12:18, Jan Tomasek  wrote:
> 
> I'm experimenting with FarmSize and AuthBy HASHBALANCE it works great! 

nice to hear :)

> But I need to forward auth requests to RadSec not RADIUS hosts. Is it 
> possible somehow?
> 

Unfortunately, HASHBALANCE only works with AuthBy RADIUS, as it inherits from 
AuthBy RADIUS and just overrides the chooseHost() function.

Same functionality could be achieved by running three instances of Radiator 
on a same host, where first uses HASHBALANCE to proxy UDP RADIUS requests to 
other instances which proxy requests with RadSec:

--2nd Radiator--RadSec-->
   |
1st Radiator--HASHBALANCE--
   |
--3rd Radiator--RadSec-->


Or by creating a new AuthHASHBALANCERADSEC.pm based on AuthHASHBALANCE.pm, but 
which inherits from AuthRADSEC :)

Currently Gossip notifications only work with AuthBy RADIUS. 

We’ll add a Gossip support for RadSec later, probably to 4.16 patches, and look 
into implementing equivalent balancing support for RadSec as what there is 
currently 
for RADIUS:

AuthEAPBALANCE.pm
AuthHASHBALANCE.pm
AuthLOADBALANCE.pm
AuthVOLUMEBALANCE.pm
AuthROUNDROBIN.pm
AuthRADIUSBYATTR.pm


BR
-- 
Tuure Vartiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] How to combine HASHBALANCE with AuthBy RadSec?

2015-09-07 Thread Jan Tomasek 
Hi,

I'm experimenting with FarmSize and AuthBy HASHBALANCE it works great! 
But I need to forward auth requests to RadSec not RADIUS hosts. Is it 
possible somehow?

Piece of config I'm using now:

...


   
  Gossip
  UseStatusServerForFailureDetect
  KeepaliveTimeout 5

  NoKeepaliveTimeoutForChildInstances
  FailureBackoffTime 60

  Secret testing123
  RetryTimeout 2
  Retries 0

  
  AuthPort 1812
  AcctPort 1813
  

  
  AuthPort 1812
  AcctPort 1813
  
   


...

PS: Working addres jan.toma...@cesnet.cz, I'm working for CESNET.

Thanks
-- 
---
Jan Tomasek aka Semik
http://www.tomasek.cz/
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator