Newbie question - number of radius requests per session?

Phil Mayers p.mayers at imperial.ac.uk
Wed Oct 31 14:12:01 CET 2007


On Wed, 2007-10-31 at 08:59 -0400, Nathan Hay wrote:
> I have FreeRadius 1.1.7 installed and talking to our eDirectory
> servers via LDAP to authenticate users to our wireless network.  It
> works great, but our eDirectory servers get hit with 11 requests each
> time a single client authenticates.  Running FreeRadius in debug mode,
> I see 10 requests of the format "Access-Request packet from host
> 10.0.0.1" and then "Sending Access-Challenge of id 0 to 10.0.0.1 port
> 1082".  Then I see a single final request of the format
> "Access-Request packet from host 10.0.0.1" and then "Sending
> Access-Accept of id 0 to 10.0.0.1 port 1082".  Each one of these 11
> requests performs a check of the user on our eDirectory servers, hence
> the 11 hits each time a single client authenticates.
>  
> Is this normal or do I need to fix something?  I'd be glad to send the
> entire debug capture and my config if this is not normal.

EAP sessions typically cover tens of request/challenge packets.

You have configured to server to run the LDAP lookups on each packet, as
opposed to just once.

The easiest thing is to do this:

authorize {
  preprocess
  ...etc...
  eap
  ...etc...
  Autz-Type INNER {
    ldap
  }
}

...and in the "users" file:

DEFAULT	Freeradius-Proxied-To == 127.0.0.1, Autz-Type := INNER

This will match the "inner" packets of the EAP session, and tell the
server to run the Autz-Type sub-block of authorize (containing LDAP)

You may still see 2 lookups, since there may be a request/challenge and
request/accept inside the EAP tunnel, but it's better than 11.

Getting down to 1 lookup requires FreeRadius 2.0 (not currently
released)

>  
> Thanks for your help,
>  
> Nathan
>  
>  
>  
>  
>  
>  
>  
>  
> Nathan P. Hay
> Network Engineer
> Computer Services
> Cedarville University
> www.cedarville.edu 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list