time delay in ntlm_auth?
Alan DeKok
aland at deployingradius.com
Tue Oct 15 23:09:39 CEST 2013
Rui Ribeiro wrote:
> Finally, do you find 160ms-200ms an acceptable time to authenticate, or
> do I need to dig it further on?
It should be fine. The "unresponsive child" message will occur only
after "max_request_time". i.e. 30 seconds.
If a request takes more than 30s to process, then something is *very*
wrong. It may indicate that the ntlm_auth program has hung.
I'll take a look at writing a "wrapper" program to deal with this
issue. It should take an argument of time to wait, and then the other
program to execute. Then if the second program takes too long, kill it,
and return an error.
e.g.
wait_limit -t 5 /path/to/ntlm_auth ... args ...
Where "wait_limit" is a small C program. It would wait 5 seconds, and
if ntlm_auth didn't return, kill it, and return a failure to radiusd.
That would work around the "unresponsive child" issue, but not solve
it. The underlying issue is that *something* is blocking ntlm_auth for
30s at a time. That's bad.
Alan DeKok.
More information about the Freeradius-Users
mailing list