EAP-TLS performance SQL backend bottleneck

leopold vova_b at yahoo.com
Thu Sep 10 21:50:48 CEST 2009

OK thanks Alan. I moved sql module call from "authorize" to "post-auth", this
improves performance, but the behavior is different.
Inside policy.conf we have "do_not_respond" policy and if SQL server is down
we need to force server not to respond in "post-auth"
This do_not_respond policy works perfect only if we call it during
"authorize" section. In authorize section we check if SQL module returns
"failed" and do not respond in this case.

However, in "post-auth" section do_not_respond policy does not have effect.
Is there any limit where do_not_respond can be used?

	#	If you want the server to pretend that it is dead,
	#	then use the "do_not_respond" policy.
	do_not_respond {
		update control {
			Response-Packet-Type := Do-Not-Respond


Alan Buxey wrote:
> Hi,
>> If not in "authorize" section, where do I put "sql" module call?
>> We have to go and validate user in SQL and we need to return
>> reply-attributes to the client.
> authorize is used solely to see if someone is able to use a service
> from a particular IP address..at a certain time etc etc. its got
> nothing to do with 'validation' of a user and it shouldnt be
> used for reply attributes.
> to 'validate' a user, use authentication
> to return reply-attributes, call sql in the post-auth section
> (you only want to call this function if they have validated etc)
> its just a case of semantics and understanding what each letter in AAA
> really means
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

View this message in context: http://www.nabble.com/EAP-TLS-performance-SQL-backend-bottleneck-tp25386668p25389882.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

More information about the Freeradius-Users mailing list