RFC compliance in sanitizing Access-Reject responses

Alan DeKok aland at deployingradius.com
Sat Sep 2 23:03:36 CEST 2006

Nicolas Baradakis <nbk at sitadelle.com> wrote:
> Until now it's the only method to get reply items from a SQL
> database: you have to use the "authorize_reply_query" directive.
> I'm not using LDAP, but I think this module adds VP to the reply
> packet during authorize, too.


> Is it reasonable to modify the SQL queries in version 2.0? We could
> get only the check items in authorize, and the reply items will be
> pulled later in post-auth. (only if login is successful)


> As the failed login attempts represent a significant part of the total
> RADIUS traffic, this should notably reduce the load of the backend
> database. (we don't query reply items if not needed)


  We'll just have to document it.  I'll start a page on migration from
1.x to 2.x, and document some of the changes I've made.

  Alan DeKok.
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

More information about the Freeradius-Devel mailing list