FreeRADIUS 负载均衡和高可用
测试环境
- 192.168.2.226 test.com 域控
- 192.168.2.97 freeradius.test.com
- 192.168.2.92 freeradius92.test.com
- 192.168.2.93 freeradius93.test.com
配置三台freeradius服务器hosts
- vim /etc/hosts
- 192.168.2.226 test.com
- 192.168.2.97 freeradius.test.com
- 192.168.2.92 freeradius92.test.com
- 192.168.2.93 freeradius93.test.com
修改主机名
- [root@lamp ~]# vim /etc/sysconfig/network
- NETWORKING=yes
- NETWORKING_IPV6=no
- HOSTNAME=freeradius93
按照前面的文档搭建freeradius+AD+mschap环境: http://waydee.blog.51cto.com/4677242/1103942
Load banace测试
配置192.168.2.92,192.168.2.92的client,添加
- client 192.168.2.0/24 {
- secret = testing123
- shortname = freeradius93
- }
配置192.168.2.97的proxy.conf
- proxy server {
- default_fallback = no
- }
- home_server freeradius92 {
- type = auth+acct
- ipaddr = 192.168.2.92
- port = 1812
- secret = testing123
- require_message_authenticator = yes
- response_window = 20
- zombie_period = 40
- #revive_interval = 120
- status_check = status-server
- check_interval = 30
- num_answers_to_alive = 3
- max_outstanding = 65536
- coa {
- irt = 2
- mrt = 16
- mrc = 5
- mrd = 30
- }
- }
- home_server freeradius93 {
- type = auth+acct
- ipaddr = 192.168.2.93
- port = 1812
- secret = testing123
- require_message_authenticator = yes
- response_window = 20
- zombie_period = 40
- #revive_interval = 120
- status_check = status-server
- check_interval = 30
- num_answers_to_alive = 3
- max_outstanding = 65536
- coa {
- irt = 2
- mrt = 16
- mrc = 5
- mrd = 30
- }
- }
- home_server_pool tn_auth_banance {
- type = load-balance
- home_server = freeradius92
- home_server = freeradius93
- }
- realm test.com {
- auth_pool = tn_auth_banance
- acct_pool = tn_auth_banance
- }
- realm LOCAL {
- }
测试:
- radtest -t mschap test@test.com 'test520' 192.168.2.97 0 testing123
查看192.168.2.97日志,可以看到freeradius将请求转发到后面的192.168.2.92进行处理,再验证,就将请求转发到192.168.2.93进行处理
- Sending Access-Request of id 3 to 192.168.2.92 port 1812
- User-Name = "test"
- NAS-IP-Address = 192.168.2.96
- NAS-Port = 0
- Message-Authenticator = 0x00000000000000000000000000000000
- MS-CHAP-Challenge = 0xc8d1db4f67319092
- MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000007825afde2c4e435750d622dd3631cb5ad65bdfbfe5b64217
- Proxy-State = 0x3738
关闭两台home server,freeradius将两台home server都标注为dead
- Mon Jun 25 11:51:35 2012 : Info: Ready to process requests.
- Mon Jun 25 11:55:59 2012 : Proxy: Marking home server 192.168.2.92 port 1812 as zombie (it looks like it is dead).
- Mon Jun 25 11:56:03 2012 : Error: No response to status check 14 for home server 192.168.2.92 port 1812
- Mon Jun 25 11:56:03 2012 : Proxy: Marking home server 192.168.2.92 port 1812 as dead.
- Mon Jun 25 11:56:33 2012 : Error: No response to status check 30 for home server 192.168.2.92 port 1812
- Mon Jun 25 11:56:50 2012 : Proxy: Marking home server 192.168.2.93 port 1812 as zombie (it looks like it is dead).
- Mon Jun 25 11:56:54 2012 : Error: No response to status check 33 for home server 192.168.2.93 port 1812
- Mon Jun 25 11:57:07 2012 : Proxy: Marking home server 192.168.2.93 port 1812 as dead.
- Mon Jun 25 11:57:09 2012 : Error: No response to status check 34 for home server 192.168.2.92 port 1812
- Mon Jun 25 11:57:23 2012 : Error: No response to status check 36 for home server 192.168.2.93 port 1812
- Mon Jun 25 11:57:43 2012 : Error: No response to status check 38 for home server 192.168.2.92 port 1812
- Mon Jun 25 11:58:14 2012 : Proxy: Received response to status check 40 (1 in current sequence)
- Mon Jun 25 11:58:25 2012 : Error: No response to status check 41 for home server 192.168.2.93 port 1812
- Mon Jun 25 11:58:49 2012 : Proxy: Received response to status check 42 (2 in current sequence)
- Mon Jun 25 11:58:50 2012 : Proxy: Received response to status check 43 (1 in current sequence)
- Mon Jun 25 11:59:21 2012 : Proxy: Received response to status check 44 (2 in current sequence)
- Mon Jun 25 11:59:21 2012 : Proxy: Received response to status check 45 (3 in current sequence)
- Mon Jun 25 11:59:21 2012 : Proxy: Marking home server 192.168.2.92 port 1812 alive
- Mon Jun 25 11:59:50 2012 : Proxy: Received response to status check 46 (3 in current sequence)
- Mon Jun 25 11:59:50 2012 : Proxy: Marking home server 192.168.2.93 port 1812 alive
Failover 测试 只需将proxy.conf中的type改成fail-over
- type = fail-over
fail-over默认请求都转发到home server的第一台,只有当第一台宕机了才会将请求都转发到第二台。 停止第一台home server
- Mon Jun 25 12:03:24 2012 : Info: Ready to process requests.
- Mon Jun 25 12:05:26 2012 : Proxy: Marking home server 192.168.2.92 port 1812 as zombie (it looks like it is dead).
- Mon Jun 25 12:05:30 2012 : Error: No response to status check 9 for home server 192.168.2.92 port 1812
- Mon Jun 25 12:05:30 2012 : Proxy: Marking home server 192.168.2.92 port 1812 as dead.
发送验证测试请求
- [root@freeradius93 ~]# radtest -t mschap test@test.com 'test520' 192.168.2.97 0 testing123
- Sending Access-Request of id 52 to 192.168.2.93 port 1812
- User-Name = "test@test.com"
- NAS-IP-Address = 192.168.2.96
- NAS-Port = 0
- Message-Authenticator = 0x00000000000000000000000000000000
- MS-CHAP-Challenge = 0x2fe670516688a9f9
- MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000081d6f3083e9a221d74e0506324e0579c20ca2976ffc5763b
- rad_recv: Access-Accept packet from host 192.168.2.93 port 1812, id=52, length=84
- MS-CHAP-MPPE-Keys = 0x0000000000000000cb2fc9399e671506ba8e34b7b84f97de0000000000000000
- MS-MPPE-Encryption-Policy = 0x00000001
- MS-MPPE-Encryption-Types = 0x00000006
关于proxy.conf配置文件的解析
- Proxy server 设置是freeradius服务器控制发给其他radius服务器请求行为。
- 各个home server之间Load-balancing 和failover都是通过home server pool来控制的。
- Realm定义了使用哪个home server pool进行负载均衡或者failover。
- Realm指定使用哪个home server pool,而home server pool指定使用哪些home server;
- 多个realm可以指定一个home server pool, 一个home server pool可以指定多个home server,一个home server也可以出现在多个home server pool中。
- Home server的定义:home server指的是接受代理请求的另外一台radius server。Home server可以接受验证请求或者是计费请求。
- home_server localhost {
- type= auth 处理接入请求包
- acct 处理计费请求包
- auth+acct 处理接入请求在port端口,处理计费请求在port+1端口
- coa 处理coa和断开连接请求
- ipaddr =
- ipv6addr=
- virtual_server=
- 配置radius服务器的地址,可以填写ip地址或者主机名,建议填写ip地址,因为填写主机名会去查询dns服务器,如果dns缓慢或者失败则radius无法启动;另外radius只在启动的时候会检测一下,当该主机名对应的IP发生变更时一定要重启radius服务器才行。
- 当所有的home server都是失败时,默认使用本地的radius服务器进行处理。
- Secret= 密钥是radius服务器和home server之间通信的加密密钥。
- response_window 如果home server在response_window时间内没有响应则radius服务器开始初始化zombie_period时间,一般response_window时间在2-60左右,看具体的网络情况
- zombie_period 如果在zombie_period时间内home server还是没有响应,则radius服务器认为该home server已经dead 了。该home server被标注为zombie,标注为zombie的radius服务器处理请求的权限最低,只有当没有其他任何live的home server时,才将请求转发给标注为zombie的home server。
- 当有某个请求发送到该home server,那么以后的请求都发送到该home server进行处理,除非该home server被标注为dead,这时如果有live的home server,则将请求转发到其他的home server,如果没有,则post-proxy-type fail该参数设置将会生效。
- 如果status_check设置不为none,则当zombie_period开始时,radius服务器就会发送状态检测包检测该home server的状态,该状态检测是直到该home server标注为alive时才会停止。如果home server不支持状态检测,则freeradius服务器就无法知道他是否处于从dead变为alive,freeradius服务器是每隔一段时间将该home server标注为alive,如果home server还没起来,则会等待zombie_period的时间,而这期间的认证请求都会失败。
- revive_interval 该参数只在status_check设置为none的情况下使用,建议使用status_check, 并且将revive_interval去掉。
- status_check的设置值有none, status-server, request三个,如果设置为none,则使用revive_interval生效,设置为status-server则会发送status-server包进行检测home server的状态;设置为request,则会发送auth或者acct请求包,具体和type设置对应。
- 设置为request,可以设置默认的用户名密码,但这样不推荐,因为用户可以用该测试账户进行验证,如果设置了则将对该用户的请求设置为reject。
- check_interval设置status check的检查间隔时间。
- num_answers_to_alive设置home server被标记为alive前必须响应的status check的次数。该参数和check insterval共同决定饿了home server被标记为alve的时间。
- max_outstanding该参数设置当home server负载过高时不在向该home server发送请求;((#request sent) - (#requests received)) > max_outstanding
- home_server_pool: failover,先将请求发送到该pool中的第一个home server,如果该home server标记为dead,就发送到该pool中的第二台,如此反复。
- load-balance,将请求发送到pool中的最空闲的home server上,衡量空闲的指标是pool中处理请求最少那台home server。如果有多台home server都处于低负载,则在这几台home server上随机选择一台处理请求。Load balance不支持EAP的认证。
- client-balance ,选择home server的机制是通过hash客户端的IP地址获得,如果该home server宕机了,则会在pool中选择另外一台home server,有点类似failover; 这是对EAP认证的简单负载均衡,因为同一个客户端的请求都是发送到同一台home server上处理。
- client-port-balance,选择home server的机制是hash 客户端的IP和端口,如果该home server宕机了,则会在pool中选择另外一台home server,有点类似failover; 该方法比client-balance更有利于EAP的负载均衡,不过也意味着client的认证和计费可能处于不同的服务器。
- Home server: 该参数配置home server 名称,该名称不是hostname,是定义home server时的名称。
- Fallback如果所有的home server都是dead,则该fallback server启用,该服务器最好是virtual home server
- Realm 指向home server pool
- auth_pool 指向home server pool并且pool中的home server的type都必须是auth
- acct_pool 指向home server pool 并且pool中的home server的type必须是acct
- 如果pool中的home server的type都是auth+acct,那么可以使用pool参数设置即可
本文转自 waydee 51CTO博客,原文链接:http://blog.51cto.com/waydee/1104011,如需转载请自行联系原作者