RFC compliance in sanitizing Access-Reject responses
Alan DeKok
aland at deployingradius.com
Sat Sep 2 23:03:36 CEST 2006
Nicolas Baradakis <nbk at sitadelle.com> wrote:
> Until now it's the only method to get reply items from a SQL
> database: you have to use the "authorize_reply_query" directive.
> I'm not using LDAP, but I think this module adds VP to the reply
> packet during authorize, too.
Yes.
> Is it reasonable to modify the SQL queries in version 2.0? We could
> get only the check items in authorize, and the reply items will be
> pulled later in post-auth. (only if login is successful)
Yes.
> As the failed login attempts represent a significant part of the total
> RADIUS traffic, this should notably reduce the load of the backend
> database. (we don't query reply items if not needed)
Yes.
We'll just have to document it. I'll start a page on migration from
1.x to 2.x, and document some of the changes I've made.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Devel
mailing list