7.8. Proxy Radius Balancing based on request attributes

On certain situations it is possible that we need to carry out a balancing of Radius based on the attributes of the requests.

For this we have defined the policy “force_Balance_Realm_opennac” (disabled by default), which allows us to carry out this balancing.

To configure this balance we must follow the following steps:

  1. Define a new realm with the servers to which we want to send requests in /etc/raddb/proxy.conf

  2. Configure the balancing condition in the policy “force_Balance_Realm_opennac” inside /etc/raddb/policy.d/opennac on the ON Proxy server:

force_Balance_Realm_opennac {
    if ("%{Calling-Station-ID}" == "aa:bb:cc:dd:ee:ff" || "%{NAS-IP-Address}" == "1.2.3.4") {
        update control {
            &Proxy-To-Realm := testRealm
        }
    }
}

Here we can modify the “if” condition to balance based on the attributes of the radius request, we must take into account the format of the attributes and the comparators of the unlang language.

When comparing IPs we must take into account the following behaviors:

  • Any unqualified IP address is assumed to have a /32 prefix (IPv4) or a /128 prefix (IPv6).

  • If the prefixes of the left and right sides are equal, then the comparisons are performed on the IP address portion.

  • If the prefixes of the left and right sides are not equal, then the comparisons are performed as seven membership checks.

An example to compare IPs could be to determine if the request comes from a network device of a specific network, in this case the if should fulfill the following condition: “&NAS-IP-Address < 10.10.36.0/24”.

Finally, we must define to which realm we want to send said requests by means of the “Proxy-To-Realm” value, which must be a realm defined in /etc/raddb/proxy.conf

  1. Enable balancing by uncommenting the “force_Balance_Realm_opennac” lines in the /etc/raddb/sites-available/default_proxy_opennac file, both in the “authorize” and “preacct” sections.

  2. Restart the radius server

systemctl restart radiusd

At this point, the requests that meet the defined condition must be redirected to the servers of the configured realm.