[RADIATOR] AuthBy LDAP2 and FailureBackoffTime

Jan Tomasek jan at tomasek.cz
Thu Jun 3 14:12:22 UTC 2021


I'm running two Radiator servers for authentication of our users in 
cesnet.cz realm on our eduroam WiFi. Each Radiator has a dedicated LDAP 
server. WiFi is controlled by a WLC. I expected that if any of RADIUSes 
fails WLC will fail back to another. That is true for the RADIUS server, 
but not for LDAP server failure.

In case there is the LDAP server failure, the Radiator returns 
access-reject for default FailureBackoffTime = 600s. WLC has no chance 
to discover that there is a problem because it receives a response and 
continues to send clients to the failing RADIUS server. Is there any 
chance how to not respond to request when AuthyBy LDAP2 fails?

Is there a chance to re-check failed LDAP server before 
FailureBackoffTime expires? When there is no remaining LDAP server in 
Host pool this waiting doesn't make much sense?

At this moment I reduced FailureBackoffTime from 600s to 60s and 
provided multiple LDAP servers to AuthBy LDAP2. Which seems to be working.

My config:

<AuthBy LDAP2>
         Identifier Check2017LDAP

         UsernameMatchesWithoutRealm yes

         Host                    ldap
         Port                    636
         SSLCAFile               /etc/radiator/certs/chain_CESNET_CA4.pem
         FailureBackoffTime      60

         AuthDN                  xxxx
         AuthPassword            xxxx

         BaseDN                  dc=cesnet,dc=cz
         UsernameAttr            uid
         PasswordAttr            radiusPassword
         AuthAttrDef             radiusTunnelPrivateGroupID, 
Tunnel-Private-Group-ID, reply
         EAPType                 PEAP,MSCHAP-V2,LEAP,TTLS

         # 2. 11. 2018 Semik - prestavame posilat korenovy certifikat
         EAPTLS_CAPath           /etc/ssl/certs/null
         EAPTLS_CertificateFile  /etc/radiator/certs/radius.cesnet.cz.crt
         EAPTLS_CertificateType  PEM
         EAPTLS_PrivateKeyFile   /etc/radiator/certs/radius.cesnet.cz.key
         EAPTLS_PrivateKeyPassword xxxx
         EAPTLS_MaxFragmentSize  1000
         EAPTLS_SessionContextId %0%n%2%{Called-Station-Id}


         EAPTLS_PEAPVersion      0

         EAPAnonymous            %n

         SSLeayTrace             0

<Handler Realm=cesnet.cz, TunnelledByTTLS=1>
         AuthBy  Check2017LDAP

<Handler Realm=cesnet.cz, TunnelledByPEAP=1>
         AuthBy  Check2017LDAP

<Handler Realm=cesnet.cz>
         AuthBy  Check2017LDAP
         AuthLog authlogger
         AuthLog FTICKS-FULL

         AddToReplyIfNotExist    Tunnel-Type=1:VLAN,\

Best regards
Jan Tomasek aka Semik

More information about the radiator mailing list