Logging ntlm authentication

John Horne john.horne at plymouth.ac.uk
Thu Sep 9 13:17:45 CEST 2010


On Tue, 2010-09-07 at 22:26 +0200, Alan DeKok wrote:
> John Horne wrote:
> > We have been running 3 servers with 2.1.10 (taken from git a while ago)
> 
>   The proxy change went in August 4.
> 
> > for some time with no problems. They act as a proxy, receiving requests
> > from wireless lan controllers and (mostly) proxying them on to MS IAS.
> > Is there any particular change that you wanted feedback on?
> 
>   What happens when a home server is marked zombie / dead.  Previously,
> if *one* request didn't get a response, the home server was marked
> "zombie".  If the proxy then received a response, the home server was
> marked "alive".
> 
>   i.e. if a proxy was sending packets for realm A && B to a home server,
> and the home server was responding only for realm A and not B... then
> the home server could be marked zombie / alive / zombie / alive in quick
> sequence.
> 
>   It now keeps track of recent replies.  If the home server is
> responding for realm A, then it will always be marked "alive", even if
> it's not responding for realm B.
> 
>   The home server is marked as "zombie" only when it receives *no*
> replies for a period of time.
> 
>   I hope that explanation makes sense...
> 
We don't have that exact scenario, but, for whatever reason, we were
seeing the home servers being marked dead/zombie extremely frequently -
usually every few minutes.

With the later git version (dated 1 September in the changelog file) we
are seeing much fewer changes of the home servers being marked
dead/zombie. From your description above I suspect this is what you were
aiming for.

A simple count of messages in our (daily) log files shows:

  grep -c dead radius.log.1            (yesterday, 24 hours)
  416
  grep -c Proxy: radius.log.1
  1859

  grep -c dead radius.log              (today, 12 hours)
  34
  grep -c Proxy: radius.log
  154

Unless we have had a sudden change in our home servers, and/or network,
(we haven't) the numbers do indicate that the freeradius code is now
less 'aggressive' in marking a home server dead/zombie.

(Our numbers are still probably high compared to other sites; we are
still investigating the cause of the problem.)




John.

-- 
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287    Fax: +44 (0)1752 587001




More information about the Freeradius-Users mailing list