Re: Degradation of service when authentication fails with Windows AD
Hi,
I'm having random authentication failures and I think they are due to a Radius server internal failure. I use Radius for authenticating the email of users in Windows Active Directory via PAM. Before I used NTLM and Kerberos together, and now I use PAM.
This is confusing. FreeRADIUS is calling the "pam" module, yes? So what is the PAM stack calling?
That's correct. I need RADIUS for authenticating POSTFIX users because the authentication depends on the POSTFIX users, via PAM (WINDOWS AD) or UNIX account. I also have many WINDOWS Domain and we need send the credentials to the correct one.
In short: the problem you are experiencing with FreeRADIUS is because your authentication mechanism (PAM) is taking too long to respond. This is consuming all threads in the pool, which explains the log messages you see.
Fix the PAM stack to fail over properly, and this problem will go away.
I understand that the PAM mechanism is slow, some domains more than others. But, I don't understand why RADIUS doesn't clean this request with some timeout mechanisms. It's very simple to create a script for crashing the server with a DoS attack. I need a configuration parameter to deny the request if PAM module doesn't respond on time. Why es RADIUS server accepting duplicate requests for queries that have already been sent to it? This is the cause of all threads are busy, correct?
On 06/02/13 12:19, Antonio Alberola wrote:
I understand that the PAM mechanism is slow, some domains more than others. But, I don't understand why RADIUS doesn't clean this request with some timeout mechanisms. It's very simple to create a script for crashing the server with a DoS attack. I need a configuration parameter to deny the request if PAM module doesn't respond on time.
The PAM APIs are synchronous, and don't offer timeout options. It's not possible to timeout a PAM call; FreeRADIUS is entirely at the mercy of PAM. Don't use PAM, it's not suitable for your needs. Use "ntlm_auth", and FreeRADIUS can timeout the call.
Why es RADIUS server accepting duplicate requests for queries that have already been sent to it? This is the cause of all threads are busy, correct?
No. FreeRADIUS is *logging* that duplicates arrived. It doesn't process them, because they're duplicates. But it logs them, because duplicates are a symptom of too-slow authentication.
participants (2)
-
Antonio Alberola -
Phil Mayers