7.9. Proxy RADIUS Balancing based on request attributes

In certain situations, it may be necessary to balance RADIUS requests based on the attributes of the requests.

For this, OpenNAC has defined the policy force_Balance_Realm_opennac (disabled by default), which enables carrying out this balancing.

To configure this balance, follow these steps:

  1. Define a new realm with the servers to which you want to send requests in /etc/raddb/proxy.conf.

Note

Remember, all the nodes defined inside home_server_pool must be previously defined as home_server.

Example:

home_server_pool pool.forced {
        type = keyed-balance
        home_server = worker04
}

realm forcedRealm {
    nostrip
    pool = pool.forced
}

  1. On the ON Proxy server, configure the balancing condition in the policy force_Balance_Realm_opennac of the /etc/raddb/policy.d/opennac:

force_Balance_Realm_opennac {
    if (&Calling-Station-ID == "aa:bb:cc:dd:ee:ff" || &NAS-IP-Address == "1.2.4.4") {
        update control {
            &Proxy-To-Realm := forcedRealm
        }
    }
}

Here, to modify the “if” condition to balance based on the attributes of the RADIUS request, consider the format of the attributes and the comparators of the unlang language.

When comparing IPs consider the following behaviors:

  • Any unqualified IP address is assumed to have a /32 prefix (IPv4) or a /128 prefix (IPv6).

  • If the prefixes of the left and right sides are equal, then the comparisons are performed on the IP address portion.

  • If the prefixes of the left and right sides are not equal, then the comparisons are performed as seven membership checks.

An example to compare IPs could be to determine if the request comes from a network device of a specific network. In this case, the condition in the if statement should be “&NAS-IP-Address < 10.10.36.0/24”. For example:

...
if (&NAS-IP-Address < 10.10.36.0/24) {
    ...

  1. Finally, specify the realm to which you want to send these requests by setting the Proxy-To-Realm value, which must correspond to a realm defined in /etc/raddb/proxy.conf.

  2. Enable balancing by uncommenting the force_Balance_Realm_opennac lines in the /etc/raddb/sites-enabled/default file, both in the “authorize” and “preacct” sections.

  1. Restart the RADIUS server

systemctl restart radiusd

At this point, the requests that meet the defined condition must be redirected to the servers of the configured realm.

Important

If you want to disable this configuration, you must comment the force_Balance_Realm_opennac lines in /etc/raddb/sites-enabled/default.