CPU intensize authorization module issue

Yannick Koehler yannick at koehler.name
Thu Mar 27 13:53:36 CET 2014


  I have an authorization module to write for FreeRADIUS that does a fair
amount of CPU intensive SQL queries 1-2 seconds time.  But the problem is
that when a 802.1x authentication is occuring this event occurs many times
4-5 times at each reception of RADIUS Access Request.  Also, at that time
the username is not the final one (normally the final one is sent within
the MSCHAPv2 from within the TLS tunnel used by PEAP or EAP-TLS or

  Is there a way for my authorization module to trigger the work to be done
only if EAP is at the stage of handling the internal authentication? Can
for example my module communicate with the EAP module and look at an
internal flag somewhere to know if the TLS tunnel has been completed?

 I would like the following:

   Access Request (EAP identity response) -> authorization module - no CPU
   <-- Access Challenge (EAP TLS Server Hello)

   Access Request (EAP TLS Client Hello) -> authorization module - no CPU
   <-- Access Challenge

  etc. until TLS is established

   Access Request (EAP TLS MSCHAPv2) -> authorization module - CPU
intensive query
   <-- Access Accept

Yannick Koehler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/mailman/private/freeradius-devel/attachments/20140327/9db8aa47/attachment.html>

More information about the Freeradius-Devel mailing list