EAP-TLS performance SQL backend bottleneck
Alan DeKok
aland at deployingradius.com
Fri Sep 11 15:50:43 CEST 2009
leopold wrote:
> Thank you very much Alan for your reply.
> Let me please clarify the requirements.
> EAP-TLS:
> - perform the needed SSL handshake, there are 11 messages exchanged and I do
> not want to query SQL each time and it degrades performance.
You already said that.
> - find the user/machine in SQL, compare check attributes and respond with
> reply attributes based on SQL data.
You already said that.
> If SQL is down or some other SQL
> connection failure then DO NOT RESPOND.
You already said that.
I already said that this pointless. If SQL is down, why the heck are
you doing 10-11 EAP packets? It makes no sense.
> If user/machine is not found in SQL DB or check attributes do not match
> reject, otherwise accept.
That's how the server works.
> Your suggestion with sql.authorize in post-auth section "almost" works, the
> only problem is we need not to respond when SQL is down.
Did you bother to read the REST of my message, saying how you could
accomplish this?
> Because otherwise
> RADIUS might respond with Access-Accept and won't send the needed reply
> attributes when SQL is unavailable.
> Could you please change the code if there is not other neat way around to
> still use "do_not_respond" policy in post-auth section?
No.
> Maybe in event.c you could check if control is set not to respond and then
> drop the packet?
No.
Read my previous message again. There is a way to do this without
modifying the server code.
Alan DeKok.
More information about the Freeradius-Users
mailing list