Freeradius负载均衡配置过程:
环境:192.168.6.176为代理服务器,192.168.6.171和192.168.6.170为被代理服务器,分别安装freeradius服务
预期成果:用户访问192.168.6.176代理服务器进行认证,域为mydomain1.com的用户交由192.168.6.171进行处理,域为mydomain0.com的用户交由192.168.6.171和192.168.6.170中比较空闲的服务器进行处理
步骤:
配置代理服务器192.168.6.176的proxy.conf文件,新增如下配置项:
home_server freeradius1 {
#auth是认证请求,acct是计费请求,auth+acct是认证计费请求
type = auth
#服务器IP地址
ipaddr = 192.168.6.171
#通常auth的端口为1812,acct端口为1813
port = 1812
#客户端和服务器端数据的加密秘钥,客户端和服务器端要一致
secret = hotspot
#是否进行验证
require_message_authenticator = no
#如果home server在response_window时间内没有响应则radius服务器开始初始化zombie_period时间,一般response_window时间在2-60左右
response_window = 20
#如果在zombie_period时间内home server还是没有响应,则radius服务器认为该home server已经dead 了。该home server被标注为zombie,标注为zombie的radius服务器处理请求的权限最低,只有当没有其他任何live的home server时,才将请求转发给标注为zombie的home server。
zombie_period = 40
#设置为status-server会发送status-server包进行检测home server的状态
status_check = status-server
#设置为status-server则会发送status-server包进行检测home server的状态
check_interval = 30
#设置home server被标记为alive前必须响应的status check的次数
num_answers_to_alive=3
#该参数设置当home server负载过高时不再向该home server发送请求
max_outstanding = 65536
coa { #当type=coa时起作用
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool myProxy1 {
type = load-balance #load-balance、fail-over
home_server = freeradius1
}
realm mydomain1.com {
auth_pool = myProxy1
nostrip #不加上可能会导致server剪掉域名,认证通不过
}
home_server freeradius0 {
type = auth
ipaddr = 192.168.6.170
port = 1812
secret = hotspot
require_message_authenticator = no
response_window = 20
zombie_period = 40
status_check = status-server
check_interval = 30
num_answers_to_alive=3
max_outstanding = 65536
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool myProxy0 {
#load-balance:将请求发到比较空闲的home server
#fail-over:将所有的请求发给第一个home server,如果该home server宕机了,则会将请求发给pool中的其他home server
type = load-balance
home_server= freeradius0
home_server=freeradius1
}
realm mydomain0.com {
auth_pool = myProxy0
nostrip
}配置被代理服务器192.168.6.171的proxy.conf文件,新增如下配置项:
realm mydomain1.com {
}配置被代理服务器192.168.6.171的clients.conf文件,新增如下配置项:
client 192.168.6.176 {
secret = hotspot
shortname = freeradius1
}配置被代理服务器192.168.6.170的proxy.conf文件,新增如下配置项:
realm mydomain0.com {
}配置被代理服务器192.168.6.170的clients.conf文件,新增如下配置项:
client 192.168.6.176 {
secret = hotspot
shortname = freeradius0
}结果:
使用radiusd -X命令分别启动176、171、170上的freeradius服务
使用命令访问代理服务器
第一种情况:
[root@localhost raddb]# radtest test ‘testing’ 192.168.6.176 1812 hotspot
Sending Access-Request of id 114 to 192.168.6.176 port 1812
User-Name = “test”
User-Password = “testing”
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 192.168.6.176 port 1812, id=114, length=20
查看176日志发现用户的realm为空,由176自己处理
第二种情况:
[root@localhost raddb]# radtest [email protected] ‘testing’ 192.168.6.176 1812 hotspot
Sending Access-Request of id 125 to 192.168.6.176 port 1812
User-Name = “[email protected]”
User-Password = “testing”
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 192.168.6.176 port 1812, id=125, length=20
查看176日志发现用户的realm为mydomain1.com,176将认证请求发给171
Sending Access-Request of id 7 to 192.168.6.171 port 1812
User-Name = “[email protected]”
User-Password = “testing”
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x313235
Proxying request 1 to home server 192.168.6.171 port 1812
查看171日志发现用户的realm为mydomain1.com,不进行转发,自己处理
第三种情况:
启动两个终端,同时输入以下命令:
[root@localhost raddb]# radtest [email protected] ‘testing’ 192.168.6.176 1812 hotspot
Sending Access-Request of id 53 to 192.168.6.176 port 1812
User-Name = “[email protected]”
User-Password = “testing”
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 192.168.6.176 port 1812, id=53, length=20
查看176日志发现用户的realm为mydomain0.com,176将第一条请求转发给170,将第二条请求转发给171