FreeRadius is now the default Radius server at my employer (french telco/ISP), and we are really happy with that. However, I was asked to find a way to have round-robin repartition between LNS, and it is not a Freeradius functionality.
I first stared to use a external program executed with the attr_rewrite module to randomly select a LNS in the database and replacing int in the reply :

LNS=`mysql -ss -e "SELECT ip FROM lns ORDER BY RAND() LIMIT 1;" -h dbhost -u dbuser -pdbpass radius`
echo -n $LNS

But, this works for replacing one parameter only: I cannot replace several parameters at once, and since the values must match against each other (the Tunnel-Server-Auth-Id name must match the Tunnel-Server-Endpoint IP) it is impossible to make several different random choices.

So, my solution consists in modifying the SQL groupreply request (in the sql.conf file).

Instead of:

authorize_group_reply_query = "SELECT
${groupreply_table}.id, ${groupreply_table}.GroupName, ${groupreply_table}.Attribute, ${groupreply_table}.Value, ${groupreply_table}.op
FROM ${groupreply_table}, ${usergroup_table}
WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND
${usergroup_table}.GroupName = ${groupreply_table}.GroupName
ORDER BY ${groupreply_table}.id"

I put:

authorize_group_reply_query = "SELECT
${groupreply_table}.id, ${groupreply_table}.GroupName, ${groupreply_table}.Attribute,
substring_index(substring_index(${groupreply_table}.Value, ';', myrand.val),';',-1),
FROM ${groupreply_table}, ${usergroup_table}, (select floor(1+rand()*2) as val) as myrand
WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND
${usergroup_table}.GroupName = ${groupreply_table}.GroupName
ORDER BY ${groupreply_table}.id"

where the number in “rand()*2” must match the number of LNS.
The database value format must be either in the usual form (the value
itself) when only one value must be replied, either
firstvalue;secondvalue…” separated by semicolon (in this case, it will
return randomly one of the values, and the same random number will be
used for all this request).

I saw only two drawbacks: you must restart Freeradius if you modify the
number of LNS and the separator character must no be used anywhere else.
We are now using this solution in production and it works as expected.

March 15, 2007, 7:04 pm lock

Add your own comment or set a trackback

Currently 3 comments

  1. Comment by Fox

    Still having fun with freeradius as I can see :)
    Bonjour a tout le monde.

  2. Comment by Mathieu Dessus

    Radiator is also a efficient radius server, but we’ve just moved from Radiator to FreeRadius !

  3. Comment by zizou

    move to radiator (lns round-robin is a native function)

Add your own comment

To prove you're a person (not a spam script), type the security word shown in the picture.
Anti-Spam Image

Follow comments according to this article through a RSS 2.0 feed