[RADIATOR] Loadbalancing requests from Proxy

Heikki Vatiainen hvn at open.com.au
Fri May 17 15:39:33 CDT 2013 

On 05/17/2013 03:12 PM, Michael Hulko wrote:
> One note after implementing EAPBALANCE.  I am getting this in the logs
> with a specific user at the moment.
> 
> May 17 07:52:09 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23274]:
> ProxyAlgorithm HASHBALANCE declines to break up an EAP stream after
> failover from 129.100.160.133:1645:1646 to 129.100.160.144:1645:1646


> May 17 08:07:39 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23274]:
> AuthRADIUS IVEY: Could not find a working host to forward
> asnowdon at ivey.ca <mailto:asnowdon at ivey.ca> (79) after 20 seconds. Ignoring

> May 17 08:07:39 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23274]:
> AuthRADIUS IVEY: No reply after 20 seconds and 3 retransmissions to
> 129.100.160.133:1645 for asnowdon at ivey.ca <mailto:asnowdon at ivey.ca> (64)

> My interpretation of these messages is that the server the EAPBALANCE is
> trying to send the authentication packets to does not respond in the
> appropriate amount of time, the EAPBALANCE Hash does not want to break
> the authentication stream, but never times out long enough to move to
> another server?
> Any input would be helpful.  My thought is to lower the values for
> Retries etc.

You might try this option too.

5.20.64 EAPErrorReject
If an EAP error occurs, REJECT instead of IGNORE. The RFCs say that
IGNORE is the correct behaviour, but REJECT can work better in some load
balancing situations.

If the server that does the actual EAP authentication sees errors it
will drop the request by returning IGNORE. Thus no reply is sent back
and the proxies see timeouts. With EAPErrorReject there is a reply that
keeps the proxies from considering the EAP server dead.

One thing to look at the logs on the EAP terminating servers and see if
they are ignoring requests because of EAP errors.

Thanks,
Heikki



-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list