Fast session resumption segfault

Alexander Clouter alex at digriz.org.uk
Thu Oct 20 21:32:28 CEST 2011 

Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>>>>>
>>>> We have session resumption enabled (lifetime 24 and max_entries 8192)
>>>> and we do not have any problems:
>>>
>>> Weird; AFAICT there's a clear memory leak prior to Alan's fix. Which
>>> version are you running?
>>>
>> ~70c2285ish
> 
> Ok, so 2.1.12 basically. I honestly don't understand how we're having 
> problems and you're not.
> 
> How many auths are you doing per day? How many are actually triggering 
> session resumption? What are your "cache { }" settings?
>
Most of our 802.1X authentications hit a single FreeRADIUS box 
(anycast'ing reasons) and the '@soas.ac.uk' only authentications make up 
about 2/3'rd of the requests:

13;32175
14;26469
15;6454
16;4803
17;29634
18;33874
19;30787
20;28765

MAC-auth[2]'s to the same boxes (more evenly distributed):
13;4547
14;3601
15;1520
16;1287
17;3997
18;5205
19;4919
20;4366

Bear in mind, these RADIUS servers are *low* powered ARM boxen[3], our 
authentications (and authorisation policy) comes all via LDAP.  SQL is 
only used to log to.

>>> Are you perhaps not caching any reply VPs?
>>>
>> Just the User-Name.
> 
> Interesting.
> 
> I am setting Cached-Session-Policy on inner-tunnel, then extracting it 
> in post-auth on outer and doing all decisions there.
>
We do *all* our authorisation on the outer post-auth layer too but all 
around User-Name.  I use rlm_perl to cache Ldap-UserDn from the first 
EAP packet to make it available on the final one (so we only make two 
LDAP lookups per EAP *session*).

> Weird stuff...
>
In case you are curious, here's everything (minus secrets):

http://stuff.digriz.org.uk/freeradius.tar.gz

sites-enabled/* and LOCAL is where the action is.

I plan to put the bulk of it up on my personal website one day...

Cheers

[1] SELECT extract(day from timestamp), COUNT(*) FROM dot1x_auth WHERE realm != 'NULL' AND packet_type = 'Access-Accept' AND timestamp > 'today'::date - '7 days'::interval GROUP BY extract(day from timestamp) ORDER BY extract(day from timestamp);
[2] same as [1] but realm != 'NULL -> realm = 'NULL'
[3] http://www.globalscaletechnologies.com/p-35-openrd-ultimate.aspx

-- 
Alexander Clouter
.sigmonster says: Editing is a rewording activity.

More information about the Freeradius-Devel mailing list