Alan DeKok-2 wrote:
leopold wrote:
Thank you very much Alan for your reply. Let me please clarify the requirements. EAP-TLS: - perform the needed SSL handshake, there are 11 messages exchanged and I do not want to query SQL each time and it degrades performance.
You already said that.
- find the user/machine in SQL, compare check attributes and respond with reply attributes based on SQL data.
You already said that.
If SQL is down or some other SQL connection failure then DO NOT RESPOND.
You already said that.
I already said that this pointless. If SQL is down, why the heck are you doing 10-11 EAP packets? It makes no sense.
If user/machine is not found in SQL DB or check attributes do not match reject, otherwise accept.
That's how the server works.
Your suggestion with sql.authorize in post-auth section "almost" works, the only problem is we need not to respond when SQL is down.
Did you bother to read the REST of my message, saying how you could accomplish this?
Because otherwise RADIUS might respond with Access-Accept and won't send the needed reply attributes when SQL is unavailable. Could you please change the code if there is not other neat way around to still use "do_not_respond" policy in post-auth section?
No.
Maybe in event.c you could check if control is set not to respond and then drop the packet?
No.
Read my previous message again. There is a way to do this without modifying the server code.
The solution with a shell script that tests SQL server periodically and kills/restart RADIUS daemon is not very neat. Also if polling interval is too low we might miss DB failure if too high it will introduce unnessary load on DB If you already have the capability not to respond, why it can't be used in POST-AUTH? Why you can't just check something like this? vp = pairfind(request->config_items, PW_RESPONSE_PACKET_TYPE); if (vp && vp->vp_integer == 256) { request->reply->code = 0; }
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/EAP-TLS-performance-SQL-backend-bottleneck-tp25386668p... Sent from the FreeRadius - User mailing list archive at Nabble.com.