Configurable timeout in rlm_exec

Phil Mayers p.mayers at imperial.ac.uk
Tue Sep 25 13:41:25 CEST 2012 

On 25/09/12 12:01, Philipp Hug wrote:
> Hi Phil,
>
>     That's not completely unreasonable, but be aware that the server
>     thread is entirely blocked whilst waiting for the exec to complete.
>     If all threads in the pool are blocked, you'll have serious problems.
>
>     Basically: 10 seconds is a long to wait, so waiting even longer...
>     I'm kind of curious what you're doing?
>
>
> Well, the script is waiting for user interaction to authorize the radius
> transaction. (which will take up to 2 minutes)

Woah. That's an *enormous* timeout.

With a thread pool of 32 threads, one authentication every 4 seconds 
will eventually eat all your threads.

> And in our proof of concept we're using a shell script with rlm_exec.
>
> If there's another way to achieve this. e.g. by letting freeradius
> invoke the shell script like every 10s and check if the request is still
> pending or already accepted or denied, that would also be an acceptable
> solution.

I think you're going about this entirely the wrong way, personally.

I can think of a couple of alternatives.

  1. Just authenticate the user straight away - don't wait - but put 
them into a network with no access. Once the manual authorization is 
complete, send a CoA request to move the existing session into the 
"working" network. This should work on any NAS with CoA support, and is 
the "proper" RADIUS way to do it.

  2. More complex and error-prone - insert the authorization request 
into a SQL table and send an Access-Challenge with some attributes 
including State, and a "retry" delay. Have your NAS / the client 
"continue" at intervals of $retry, and keep sending Access-Challenge 
until the SQL row reads "accepted" or "rejected". This will only work if 
you have control of the NAS, and you'll have to implement the challenge 
sending/logic yourselves. Not a very clean solution.


What network protocol / NAS are you using here? I'd use CoA to solve 
this, if at all possible. 2 minute blocking timeouts on external "exec" 
are just crazy!

Cheers,
Phil

More information about the Freeradius-Devel mailing list