EAP-TLS performance SQL backend bottleneck

Alan DeKok aland at deployingradius.com
Fri Sep 11 15:50:43 CEST 2009


leopold wrote:
> Thank you very much Alan for your reply.
> Let me please clarify the requirements.
> EAP-TLS: 
> - perform the needed SSL handshake, there are 11 messages exchanged and I do
> not want to query SQL each time and it degrades performance.

  You already said that.

> - find the user/machine in SQL, compare check attributes and respond with
> reply attributes based on SQL data.

  You already said that.

> If SQL is down or some other SQL
> connection failure then DO NOT RESPOND.

  You already said that.

  I already said that this pointless.  If SQL is down, why the heck are
you doing 10-11 EAP packets?  It makes no sense.

> If user/machine is not found in SQL DB or check attributes do not match
> reject, otherwise accept.

  That's how the server works.

> Your suggestion with sql.authorize in post-auth section "almost" works, the
> only problem is we need not to respond when SQL is down.

  Did you bother to read the REST of my message, saying how you could
accomplish this?

> Because otherwise
> RADIUS might respond with Access-Accept and won't send the needed reply
> attributes when SQL is unavailable.
> Could you please change the code if there is not other neat way around to
> still use "do_not_respond" policy in post-auth section?

  No.

> Maybe in event.c you could check if control is set not to respond and then
> drop the packet?

  No.

  Read my previous message again.  There is a way to do this without
modifying the server code.

  Alan DeKok.



More information about the Freeradius-Users mailing list