Hi, Sorry to waste time, but do you mean the full log from doing a 'radius -X'? I want to clarify because on a production server that will be a huge log. I am happy to produce it though.
Set them the same as the thread pools.
Do you mean make 'spare = ${thread[pool].max_servers}'? Does the default of 32 sound like a reasonable number of max_servers in radius.conf on a busy site or do a lot of people go higher? Dave On 13/04/16 12:58, Alan DeKok wrote:
On Apr 13, 2016, at 5:12 AM, David Hartburn <D.J.Hartburn@kent.ac.uk> wrote:
Yesterday, I moved a fair chunk of our on-site wireless to FreeRADIUS as we migrate from our NPS servers. I have had a number of complaints of users being forced to reauthenticate (prompted for their password again) on odd occasions throughout the day. Logs show a login incorrect:
Tue Apr 12 15:06:47 2016 : Auth: (264236) Login OK: [xxx@kent.ac.uk] (from client cwlc-tlb port 2 cli a8:66:7f:12:a9:b9)
Those logs are useless. Post the debug log as suggested in the FAQ, "man" page, web pages, and daily on this list.
Posting OTHER logs is just wasting everyones time.
It looks like it is rejecting the auth because it can not make the LDAP connection to validate the user.
It looks like the *real* reason why the user is disconnected is in the debug logs.
Two questions on this. First, is it possible to allow clients a couple of attempts to retry their authentication before completely rejecting and forcing them to enter their password again?
No. The authentication process is driven entirely by the client. There's no way for the RADIUS server to push configuration to the client.
Second, are there any rules of thumb regarding setting min, max and spare for LDAP connections? At the moment I have:
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html