CPU intensize authorization module issue

Stefan Winter stefan.winter at restena.lu
Thu Mar 27 13:58:13 CET 2014


Hi,

this is a usage question, redirecting to -users.

You should call your module only in innner-tunnel/authorize, not in the
outer request (default/authorize).

Greetings,

Stefan Winter

On 27.03.2014 13:53, Yannick Koehler wrote:
> Hi,
> 
>   I have an authorization module to write for FreeRADIUS that does a
> fair amount of CPU intensive SQL queries 1-2 seconds time.  But the
> problem is that when a 802.1x authentication is occuring this event
> occurs many times 4-5 times at each reception of RADIUS Access Request. 
> Also, at that time the username is not the final one (normally the final
> one is sent within the MSCHAPv2 from within the TLS tunnel used by PEAP
> or EAP-TLS or EAP-TTLS).
> 
>   Is there a way for my authorization module to trigger the work to be
> done only if EAP is at the stage of handling the internal
> authentication? Can for example my module communicate with the EAP
> module and look at an internal flag somewhere to know if the TLS tunnel
> has been completed?
> 
>  I would like the following:
> 
>    Access Request (EAP identity response) -> authorization module - no
> CPU intensive
>    <-- Access Challenge (EAP TLS Server Hello)
>  
>    Access Request (EAP TLS Client Hello) -> authorization module - no
> CPU intensive
>    <-- Access Challenge
> 
>   etc. until TLS is established
> 
>    Access Request (EAP TLS MSCHAPv2) -> authorization module - CPU
> intensive query
>    <-- Access Accept
> 
> -- 
> Yannick Koehler
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8A39DC66.asc
Type: application/pgp-keys
Size: 3243 bytes
Desc: not available
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140327/747bd71b/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140327/747bd71b/attachment.pgp>


More information about the Freeradius-Users mailing list