Pre-release of Version 2.1.8

Alan DeKok aland at deployingradius.com
Wed Dec 9 07:50:05 CET 2009


Josip Rodin wrote:
> Which reminds me - the other day I had a situation where a NAS was rebooted
> and ~300 users immediately tried to reconnect and authenticated over a
> FreeRADIUS 2.0.4 server, which in turn tried to authenticate them over its
> two home_servers set up as fail-over, but neither of them with status_check.
> 
> Sadly, this started failing horribly - it seemed to overload the primary
> home_server, entering a peculiar pattern - condensed for readability and
> some private info obfuscation:

  Then the home servers are *extremely* slow.  Sending 300 packets over
the course of a second or two wouldn't overload a 486.

>       1  Proxy: No outstanding request was found for proxy reply from home server home_server_ip_5 port 1812 - ID 87

  Look at the messages *before* that one.  The proxy:

a) proxies packet 1
b) gives up on it after a time
c) proxies a new packet 2
d) receives a reply for packet 1
e) logs this message as "Huh?"

> So I tried the poor man's solution - I shuffled them manually, restarted
> FreeRADIUS, and then it started authenticating them, before it seemingly
> DoSed that one and entered a very similar pattern of brokenness.

  300 packets is a DoS for a RADIUS server?  Wow... that's a *bad* server.

> Can any conclusions be drawn from this? I send over the detailed logs if
> necessary.

  The home servers are pathetic.

  Also, the proxy && fail-over algorithms in 2.1.x are much better than
2.0.4.

  Alan DeKok.



More information about the Freeradius-Users mailing list