Newbie question - number of radius requests per session?

Nathan Hay nphay at cedarville.edu
Mon Nov 12 22:41:08 CET 2007


Do I then remove ldap from the authorize section so that it doesn't call
it every packet?  I did a bunch of testing and it seems that I have to
do that to reduce the number of calls to our eDirectory servers.
 
Thanks for helping me out.
 
Nathan
 
Nathan P. Hay
Network Engineer
Computer Services
Cedarville University
www.cedarville.edu ( http://www.cedarville.edu/ ) 

>>> Phil Mayers <p.mayers at imperial.ac.uk> 10/31/2007 9:12 AM >>>
On Wed, 2007-10-31 at 08:59 -0400, Nathan Hay wrote:
> I have FreeRadius 1.1.7 installed and talking to our eDirectory
> servers via LDAP to authenticate users to our wireless network.  It
> works great, but our eDirectory servers get hit with 11 requests
each
> time a single client authenticates.  Running FreeRadius in debug
mode,
> I see 10 requests of the format "Access-Request packet from host
> 10.0.0.1" and then "Sending Access-Challenge of id 0 to 10.0.0.1
port
> 1082".  Then I see a single final request of the format
> "Access-Request packet from host 10.0.0.1" and then "Sending
> Access-Accept of id 0 to 10.0.0.1 port 1082".  Each one of these 11
> requests performs a check of the user on our eDirectory servers,
hence
> the 11 hits each time a single client authenticates.
>  
> Is this normal or do I need to fix something?  I'd be glad to send
the
> entire debug capture and my config if this is not normal.

EAP sessions typically cover tens of request/challenge packets.

You have configured to server to run the LDAP lookups on each packet,
as
opposed to just once.

The easiest thing is to do this:

authorize {
  preprocess
  ...etc...
  eap
  ...etc...
  Autz-Type INNER {
    ldap
  }
}

...and in the "users" file:

DEFAULTFreeradius-Proxied-To == 127.0.0.1, Autz-Type := INNER

This will match the "inner" packets of the EAP session, and tell the
server to run the Autz-Type sub-block of authorize (containing LDAP)

You may still see 2 lookups, since there may be a request/challenge
and
request/accept inside the EAP tunnel, but it's better than 11.

Getting down to 1 lookup requires FreeRadius 2.0 (not currently
released)

>  
> Thanks for your help,
>  
> Nathan
>  
>  
>  
>  
>  
>  
>  
>  
> Nathan P. Hay
> Network Engineer
> Computer Services
> Cedarville University
> www.cedarville.edu 
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html 

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071112/2f633d6c/attachment.html>


More information about the Freeradius-Users mailing list