On Apr 28, 2023, at 6:31 AM, Shwe Toe <nyan.business@xxxxxxxxx> wrote: > I have some radius servers behind a Nginx load balancer. I have > configured Nginx to route egress traffic from upstream radius servers > directly to access points (bypassing the load balancer). In the AP's > hostapd.conf, "auth_server_addr" is set to load balancer. There is no > secondary auth_server_addr. I have two APs from different vendors and > noticed that hostapd behaves differently with this setup. I'll reply to this as the RADIUS guy. > On both APs, Radius Access-Request will send to the load balancer > (192.168.1.2), and receive Access-Challenge from upstream radius > server (192.168.1.99). According to the RFCs, the RADIUS client should ignore that response. > One AP sends the next Access-Request to load balancer (192.168.1.2). > Another AP sends the next Access-Request to the upstream radius server > (192.168.1.99). > > What should be the correct behavior for hostapd? Where should it send > the next Access-Request? I would argue "no". This behavior is not RFC compliant. It might work in certain limited situations. It's likely to cause problems. The correct solution is to update the load balancer and/or the RADIUS servers to use the same IP for replies. Alan DeKok. _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap