Newbie question - number of radius requests per session?
I have FreeRadius 1.1.7 installed and talking to our eDirectory servers via LDAP to authenticate users to our wireless network. It works great, but our eDirectory servers get hit with 11 requests each time a single client authenticates. Running FreeRadius in debug mode, I see 10 requests of the format "Access-Request packet from host 10.0.0.1" and then "Sending Access-Challenge of id 0 to 10.0.0.1 port 1082". Then I see a single final request of the format "Access-Request packet from host 10.0.0.1" and then "Sending Access-Accept of id 0 to 10.0.0.1 port 1082". Each one of these 11 requests performs a check of the user on our eDirectory servers, hence the 11 hits each time a single client authenticates. Is this normal or do I need to fix something? I'd be glad to send the entire debug capture and my config if this is not normal. Thanks for your help, Nathan Nathan P. Hay Network Engineer Computer Services Cedarville University www.cedarville.edu ( http://www.cedarville.edu/ )
On Wed, 2007-10-31 at 08:59 -0400, Nathan Hay wrote:
I have FreeRadius 1.1.7 installed and talking to our eDirectory servers via LDAP to authenticate users to our wireless network. It works great, but our eDirectory servers get hit with 11 requests each time a single client authenticates. Running FreeRadius in debug mode, I see 10 requests of the format "Access-Request packet from host 10.0.0.1" and then "Sending Access-Challenge of id 0 to 10.0.0.1 port 1082". Then I see a single final request of the format "Access-Request packet from host 10.0.0.1" and then "Sending Access-Accept of id 0 to 10.0.0.1 port 1082". Each one of these 11 requests performs a check of the user on our eDirectory servers, hence the 11 hits each time a single client authenticates.
Is this normal or do I need to fix something? I'd be glad to send the entire debug capture and my config if this is not normal.
EAP sessions typically cover tens of request/challenge packets. You have configured to server to run the LDAP lookups on each packet, as opposed to just once. The easiest thing is to do this: authorize { preprocess ...etc... eap ...etc... Autz-Type INNER { ldap } } ...and in the "users" file: DEFAULT Freeradius-Proxied-To == 127.0.0.1, Autz-Type := INNER This will match the "inner" packets of the EAP session, and tell the server to run the Autz-Type sub-block of authorize (containing LDAP) You may still see 2 lookups, since there may be a request/challenge and request/accept inside the EAP tunnel, but it's better than 11. Getting down to 1 lookup requires FreeRadius 2.0 (not currently released)
Thanks for your help,
Nathan
Nathan P. Hay Network Engineer Computer Services Cedarville University www.cedarville.edu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Do I then remove ldap from the authorize section so that it doesn't call it every packet? I did a bunch of testing and it seems that I have to do that to reduce the number of calls to our eDirectory servers. Thanks for helping me out. Nathan Nathan P. Hay Network Engineer Computer Services Cedarville University www.cedarville.edu ( http://www.cedarville.edu/ )
Phil Mayers <p.mayers@imperial.ac.uk> 10/31/2007 9:12 AM >>> On Wed, 2007-10-31 at 08:59 -0400, Nathan Hay wrote: I have FreeRadius 1.1.7 installed and talking to our eDirectory servers via LDAP to authenticate users to our wireless network. It works great, but our eDirectory servers get hit with 11 requests each time a single client authenticates. Running FreeRadius in debug mode, I see 10 requests of the format "Access-Request packet from host 10.0.0.1" and then "Sending Access-Challenge of id 0 to 10.0.0.1 port 1082". Then I see a single final request of the format "Access-Request packet from host 10.0.0.1" and then "Sending Access-Accept of id 0 to 10.0.0.1 port 1082". Each one of these 11 requests performs a check of the user on our eDirectory servers, hence the 11 hits each time a single client authenticates.
Is this normal or do I need to fix something? I'd be glad to send the entire debug capture and my config if this is not normal.
EAP sessions typically cover tens of request/challenge packets. You have configured to server to run the LDAP lookups on each packet, as opposed to just once. The easiest thing is to do this: authorize { preprocess ...etc... eap ...etc... Autz-Type INNER { ldap } } ...and in the "users" file: DEFAULTFreeradius-Proxied-To == 127.0.0.1, Autz-Type := INNER This will match the "inner" packets of the EAP session, and tell the server to run the Autz-Type sub-block of authorize (containing LDAP) You may still see 2 lookups, since there may be a request/challenge and request/accept inside the EAP tunnel, but it's better than 11. Getting down to 1 lookup requires FreeRadius 2.0 (not currently released)
Thanks for your help,
Nathan
Nathan P. Hay Network Engineer Computer Services Cedarville University www.cedarville.edu - List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nathan Hay wrote:
Do I then remove ldap from the authorize section so that it doesn't call it every packet? I did a bunch of testing and it seems that I have to do that to reduce the number of calls to our eDirectory servers.
Yes. But it has to be listed inside of a sub-block, as described in the message you responded to. Alan DeKok.
Hi,
Do I then remove ldap from the authorize section so that it doesn't call it every packet? I did a bunch of testing and it seems that I have to do that to reduce the number of calls to our eDirectory servers.
yes - only call it from the INNER check. otherwise you are in exactly the same situation alan
Thanks for everyone's help. I have it working nicely now, but have one more situation I just started testing. I want to use the same radius servers to authenticate users on a different wireless network though a captive portal to the same eDirectory servers via LDAP. In order for the captive portal authentication to work, I had to put LDAP back in the authorize section, which breaks all the work I just did to reduce the calls to the eDirectory servers for my other network that uses 802.1X. Is there a way around this to have both working at the same time? Thanks, Nathan Nathan P. Hay Network Engineer Computer Services Cedarville University www.cedarville.edu ( http://www.cedarville.edu/ )
<A.L.M.Buxey@lboro.ac.uk> 11/13/2007 5:36 AM >>> Hi, Do I then remove ldap from the authorize section so that it doesn't call it every packet? I did a bunch of testing and it seems that I have to do that to reduce the number of calls to our eDirectory servers.
yes - only call it from the INNER check. otherwise you are in exactly the same situation alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Thanks for everyone's help. I have it working nicely now, but have one more situation I just started testing.
I want to use the same radius servers to authenticate users on a different wireless network though a captive portal to the same eDirectory servers via LDAP.
In order for the captive portal authentication to work, I had to put LDAP back in the authorize section, which breaks all the work I just did to reduce the calls to the eDirectory servers for my other network that uses 802.1X.
Is there a way around this to have both working at the same time?
when using captive portal, all requests will come from one single NAS or client-IP address - that of the captive portal. simply add in an authenication type and call for that client...eg rough example DEFAULT Client-IP-Address == 1.2.3.4 Autz-Type := CAPTIVE than in the authorize section Autz-Type CAPTIVE { ldap } ...and remove that ldap that you put back into the main section. this info isnt 100% complete - but should get your mind down the right track. alan
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Nathan Hay -
Phil Mayers