Redundant radius server - clients.conf replication?

pp303 · June 26, 2018, 4:25am

Hi all, I have the radius app installed on a backup domain controller, but was going to install it on the master to have a redundant setup.

I notice that clients.conf does not seem to be under the UCS template control.

Does this also mean that I will have to take care of keeping the clients.conf file in sync between the master and backup?

Moritz_Bunkus · June 26, 2018, 7:10am

Hey,

as far as I know there’s no mechanism for syncing that file from the master to other installations in the domain. It wouldn’t make much sense for UCS to always do that anyway, at least for general setups because not every DC is always located in the same network — think of using slave DCs in branch offices who only authenticate their own, local WAPs and switches.

In your case it does make sense to sync the file from DC Master to DC Backup as, reading between the lines, both servers are located in the same network and the DC Backup is supposed to take over all of the DC Master’s services in case of failure. Just create a cron job running rsync on the file regularly and set up SSH public key authentication for root from your DC Master to root on your DC Backup.

Kind regards
mosu

pp303 · June 27, 2018, 10:02am

OK, thanks for the feedback mosu, that makes sense with regard to the site specific APs.

The default integration seems geared toward yes/no user and device access for wireless.

If I wanted to setup radius auth for network device (router/switch) administration, I’m guessing I’ll need to start editing templates directly.

Is one way to do this to add an extended attribute to a group/user for “network admin access: T/F” for example and then use that in one of the templates to configure the relevant radius filters?

Looking for a way that can work with the UCS infrastructure rather than taking complete manual control over the radius package and loosing visibility in UMC.

Cheers.

Grandjean · June 27, 2018, 10:22am

Hey,

FreeRADIUS has a concepts of “virtual servers” with sites-available and sites-enabled, very similar to Apache2. Instead of modifying the default configuration file (which is based on a UCR template), you can create your own configuration file in /etc/freeradius/3.0/sites-available/ and link it to /etc/freeradius/3.0/sites-enabled/.
Then you can simply choose per network device (WLAN Access point, Router, Switch …) in the clients.conf which “virtual server” to use (instead of default). E.g. if you created a virtual server config called my_rad_config, the clients.conf could look like this:


client ap.mydomain.example.org {
        ipaddr = 192.168.100.42
        secret = aVerySecretPassword
        virtual_server = my_rad_config
}

Best regards,
Michael

pp303 · June 27, 2018, 10:48am

Thanks for the pointers Michael, still learning radius, I’ll give it a go!
MarkR