Fast session resumption segfault
Alexander Clouter
alex at digriz.org.uk
Thu Oct 20 21:32:28 CEST 2011
Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>>>>>
>>>> We have session resumption enabled (lifetime 24 and max_entries 8192)
>>>> and we do not have any problems:
>>>
>>> Weird; AFAICT there's a clear memory leak prior to Alan's fix. Which
>>> version are you running?
>>>
>> ~70c2285ish
>
> Ok, so 2.1.12 basically. I honestly don't understand how we're having
> problems and you're not.
>
> How many auths are you doing per day? How many are actually triggering
> session resumption? What are your "cache { }" settings?
>
Most of our 802.1X authentications hit a single FreeRADIUS box
(anycast'ing reasons) and the '@soas.ac.uk' only authentications make up
about 2/3'rd of the requests:
13;32175
14;26469
15;6454
16;4803
17;29634
18;33874
19;30787
20;28765
MAC-auth[2]'s to the same boxes (more evenly distributed):
13;4547
14;3601
15;1520
16;1287
17;3997
18;5205
19;4919
20;4366
Bear in mind, these RADIUS servers are *low* powered ARM boxen[3], our
authentications (and authorisation policy) comes all via LDAP. SQL is
only used to log to.
>>> Are you perhaps not caching any reply VPs?
>>>
>> Just the User-Name.
>
> Interesting.
>
> I am setting Cached-Session-Policy on inner-tunnel, then extracting it
> in post-auth on outer and doing all decisions there.
>
We do *all* our authorisation on the outer post-auth layer too but all
around User-Name. I use rlm_perl to cache Ldap-UserDn from the first
EAP packet to make it available on the final one (so we only make two
LDAP lookups per EAP *session*).
> Weird stuff...
>
In case you are curious, here's everything (minus secrets):
http://stuff.digriz.org.uk/freeradius.tar.gz
sites-enabled/* and LOCAL is where the action is.
I plan to put the bulk of it up on my personal website one day...
Cheers
[1] SELECT extract(day from timestamp), COUNT(*) FROM dot1x_auth WHERE realm != 'NULL' AND packet_type = 'Access-Accept' AND timestamp > 'today'::date - '7 days'::interval GROUP BY extract(day from timestamp) ORDER BY extract(day from timestamp);
[2] same as [1] but realm != 'NULL -> realm = 'NULL'
[3] http://www.globalscaletechnologies.com/p-35-openrd-ultimate.aspx
--
Alexander Clouter
.sigmonster says: Editing is a rewording activity.
More information about the Freeradius-Devel
mailing list