[RADIATOR] AuthBy LDAP2 and FailureBackoffTime

Heikki Vatiainen hvn at open.com.au
Mon Jun 7 14:06:52 UTC 2021

On 3.6.2021 17.12, Jan Tomasek wrote:

> I'm running two Radiator servers for authentication of our users in 
> cesnet.cz realm on our eduroam WiFi. Each Radiator has a dedicated LDAP 
> server. WiFi is controlled by a WLC. I expected that if any of RADIUSes 
> fails WLC will fail back to another. That is true for the RADIUS server, 
> but not for LDAP server failure.

That should be the case also when Radiator can't use the LDAP server 
because of LDAP server's failure.

> In case there is the LDAP server failure, the Radiator returns 
> access-reject for default FailureBackoffTime = 600s. WLC has no chance 
> to discover that there is a problem because it receives a response and 
> continues to send clients to the failing RADIUS server. Is there any 
> chance how to not respond to request when AuthyBy LDAP2 fails?

AuthBy LDAP2 should already return IGNORE when it can not connect to 
LDAP server, LDAP query fails or some other LDAP related failure 
happens. Returning ignore is exactly for the reason you describe: allow 
the RADIUS client to do a fail over.

Would you have any logs that show the LDAP failure that triggers a 
reject of ignore? If there's a case that results in a reject, I'd like 
to check why this happens.

> Is there a chance to re-check failed LDAP server before 
> FailureBackoffTime expires? When there is no remaining LDAP server in 
> Host pool this waiting doesn't make much sense?

Currently IGNORE is returned directly when FailureBackoffTime is still 
in effect.

I'm wondering if you have something in your configuration that turns an 
ignore to a reject after AuthBy LDAP2 is called?

> At this moment I reduced FailureBackoffTime from 600s to 60s and 
> provided multiple LDAP servers to AuthBy LDAP2. Which seems to be working.

It's good to hear that the above helps but the AuthBy itself should also 
work so that it can signal LDAP failure by using ignore and allowing the 
client to a proper failover.

Can you check if your config has something that does this? If not, I'd 
like to see the logs to see why AuthBy LDAP2 does not return IGNORE.

> My config:

Looks good but please check if there are additional hooks or AuthBys 
that may turn IGNORE to a REJECT.


> <AuthBy LDAP2>
>          Identifier Check2017LDAP
>          UsernameMatchesWithoutRealm yes
>          Host                    ldap
>          Port                    636
>          UseSSL
>          SSLCAFile               /etc/radiator/certs/chain_CESNET_CA4.pem
>          FailureBackoffTime      60
>          AuthDN                  xxxx
>          AuthPassword            xxxx
>          BaseDN                  dc=cesnet,dc=cz
>          UsernameAttr            uid
>          PasswordAttr            radiusPassword
>          AuthAttrDef             radiusTunnelPrivateGroupID, 
> Tunnel-Private-Group-ID, reply
>          SearchFilter 
> (&(%0=%1)(|(objectClass=eduroamTestAccount)(objectClass=radiusUser)))
>          EAPType                 PEAP,MSCHAP-V2,LEAP,TTLS
>          # 2. 11. 2018 Semik - prestavame posilat korenovy certifikat
>          EAPTLS_CAPath           /etc/ssl/certs/null
>          EAPTLS_CertificateFile  /etc/radiator/certs/radius.cesnet.cz.crt
>          EAPTLS_CertificateType  PEM
>          EAPTLS_PrivateKeyFile   /etc/radiator/certs/radius.cesnet.cz.key
>          EAPTLS_PrivateKeyPassword xxxx
>          EAPTLS_MaxFragmentSize  1000
>          EAPTLS_SessionContextId %0%n%2%{Called-Station-Id}
>          AutoMPPEKeys
>          EAPTLS_PEAPVersion      0
>          EAPAnonymous            %n
>          SSLeayTrace             0
> </AuthBy>
> <Handler Realm=cesnet.cz, TunnelledByTTLS=1>
>          AuthBy  Check2017LDAP
> </Handler>
> <Handler Realm=cesnet.cz, TunnelledByPEAP=1>
>          AuthBy  Check2017LDAP
> </Handler>
> <Handler Realm=cesnet.cz>
>          AuthBy  Check2017LDAP
>          AuthLog authlogger
>          AuthLog FTICKS-FULL
>          AddToReplyIfNotExist    Tunnel-Type=1:VLAN,\
>                                  Tunnel-Medium-Type=1:Ether_802
> </Handler>
> Best regards

Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.

More information about the radiator mailing list