[RADIATOR] Ignoring effects of dead server monitoring

Heikki Vatiainen hvn at open.com.au
Tue Aug 18 16:27:04 UTC 2020


On 17.8.2020 17.33, Howard, Christopher wrote:

> Our network hardware is using radius for authentication (802.1x and 
> management CLI). They monitor for dead radius servers by sending an 
> authentication for a non-existent username and watching for the reject. 
> If a reject never comes, then it assumes the server is dead and stops 
> using it for a configured amount of time.

Have you tested how quickly it notices failure if you don't do 
monitoring? The timers and counters that control failover behaviour are 
typically configurable. I can see that this type of polling can be 
quicker to notice a non-responsive server but it may be worth checking 
if lack of responses to real requests would work well enough.

There's actually a polling method that's designed for this:
https://tools.ietf.org/html/rfc5997

RFC 5997 defines a special Status-Server message. The downside is that 
not many clients support it.

> We use the SNMPAgent for monitoring and this is seriously skewing 
> results. Because of this, right now 85% of all authentication is 
> rejected, which is extremely high. Is it possible to still reject the 
> authentication request because it is a nonexistent username, but not 
> include these rejects in the snmp statistics? Something like: if 
> username x; then reject, don't log, don't add to statistics.

There's no configuration option for this. Part of the problem is also 
that, for example, accessRequests counter is incremented separately from 
access reject counter. In other words, there's no single place to do this.

The polling the client does is a bit too much in-band so that it can be 
easily separated from the rest of the traffic.


Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.


More information about the radiator mailing list