Newbie question - number of radius requests per session?
Phil Mayers
p.mayers at imperial.ac.uk
Wed Oct 31 14:12:01 CET 2007
On Wed, 2007-10-31 at 08:59 -0400, Nathan Hay wrote:
> I have FreeRadius 1.1.7 installed and talking to our eDirectory
> servers via LDAP to authenticate users to our wireless network. It
> works great, but our eDirectory servers get hit with 11 requests each
> time a single client authenticates. Running FreeRadius in debug mode,
> I see 10 requests of the format "Access-Request packet from host
> 10.0.0.1" and then "Sending Access-Challenge of id 0 to 10.0.0.1 port
> 1082". Then I see a single final request of the format
> "Access-Request packet from host 10.0.0.1" and then "Sending
> Access-Accept of id 0 to 10.0.0.1 port 1082". Each one of these 11
> requests performs a check of the user on our eDirectory servers, hence
> the 11 hits each time a single client authenticates.
>
> Is this normal or do I need to fix something? I'd be glad to send the
> entire debug capture and my config if this is not normal.
EAP sessions typically cover tens of request/challenge packets.
You have configured to server to run the LDAP lookups on each packet, as
opposed to just once.
The easiest thing is to do this:
authorize {
preprocess
...etc...
eap
...etc...
Autz-Type INNER {
ldap
}
}
...and in the "users" file:
DEFAULT Freeradius-Proxied-To == 127.0.0.1, Autz-Type := INNER
This will match the "inner" packets of the EAP session, and tell the
server to run the Autz-Type sub-block of authorize (containing LDAP)
You may still see 2 lookups, since there may be a request/challenge and
request/accept inside the EAP tunnel, but it's better than 11.
Getting down to 1 lookup requires FreeRadius 2.0 (not currently
released)
>
> Thanks for your help,
>
> Nathan
>
>
>
>
>
>
>
>
> Nathan P. Hay
> Network Engineer
> Computer Services
> Cedarville University
> www.cedarville.edu
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list