Degradation of service when authentication fails with Windows AD
Phil Mayers
p.mayers at imperial.ac.uk
Wed Feb 6 13:39:19 CET 2013
On 06/02/13 12:19, Antonio Alberola wrote:
> I understand that the PAM mechanism is slow, some domains more than others.
> But, I don't understand why RADIUS doesn't clean this request with some
> timeout mechanisms. It's very simple to create a script for crashing the
> server with a DoS attack. I need a configuration parameter to deny the
> request if PAM module doesn't respond on time.
The PAM APIs are synchronous, and don't offer timeout options. It's not
possible to timeout a PAM call; FreeRADIUS is entirely at the mercy of PAM.
Don't use PAM, it's not suitable for your needs. Use "ntlm_auth", and
FreeRADIUS can timeout the call.
> Why es RADIUS server accepting duplicate requests for queries that have
> already been sent to it? This is the cause of all threads are busy, correct?
No. FreeRADIUS is *logging* that duplicates arrived. It doesn't process
them, because they're duplicates. But it logs them, because duplicates
are a symptom of too-slow authentication.
More information about the Freeradius-Users
mailing list