CPU intensize authorization module issue

Yannick Koehler yannick at koehler.name
Thu Mar 27 15:15:42 CET 2014 

But if I put it under inner-tunnel/authorize will it still work with
PAP/CHAP (without 802.1x) and EAP-MD5 and others which are not using an
inner-tunnel?  Since I can't known in advance when each will be used.  It
is my understanding that for those without inner-tunnel I need to put the
code in the main authorize as well as within the inner-tunnel, which will
result in expensive SQL calls when 802.1x will be used because the main
global authorize will then be invoked.



2014-03-27 8:58 GMT-04:00 Stefan Winter <stefan.winter at restena.lu>:

> Hi,
>
> this is a usage question, redirecting to -users.
>
> You should call your module only in innner-tunnel/authorize, not in the
> outer request (default/authorize).
>
> Greetings,
>
> Stefan Winter
>
> On 27.03.2014 13:53, Yannick Koehler wrote:
> > Hi,
> >
> >   I have an authorization module to write for FreeRADIUS that does a
> > fair amount of CPU intensive SQL queries 1-2 seconds time.  But the
> > problem is that when a 802.1x authentication is occuring this event
> > occurs many times 4-5 times at each reception of RADIUS Access Request.
> > Also, at that time the username is not the final one (normally the final
> > one is sent within the MSCHAPv2 from within the TLS tunnel used by PEAP
> > or EAP-TLS or EAP-TTLS).
> >
> >   Is there a way for my authorization module to trigger the work to be
> > done only if EAP is at the stage of handling the internal
> > authentication? Can for example my module communicate with the EAP
> > module and look at an internal flag somewhere to know if the TLS tunnel
> > has been completed?
> >
> >  I would like the following:
> >
> >    Access Request (EAP identity response) -> authorization module - no
> > CPU intensive
> >    <-- Access Challenge (EAP TLS Server Hello)
> >
> >    Access Request (EAP TLS Client Hello) -> authorization module - no
> > CPU intensive
> >    <-- Access Challenge
> >
> >   etc. until TLS is established
> >
> >    Access Request (EAP TLS MSCHAPv2) -> authorization module - CPU
> > intensive query
> >    <-- Access Accept
> >
> > --
> > Yannick Koehler
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/devel.html
> >
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>



-- 
Yannick Koehler
Courriel: yannick at koehler.name
Blog: http://corbeillepensees.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140327/b0d1ddee/attachment-0001.html>

More information about the Freeradius-Users mailing list