EAP-TLS performance SQL backend bottleneck

leopold vova_b at yahoo.com
Fri Sep 11 16:14:17 CEST 2009 



Alan DeKok-2 wrote:
> 
> leopold wrote:
>> Thank you very much Alan for your reply.
>> Let me please clarify the requirements.
>> EAP-TLS: 
>> - perform the needed SSL handshake, there are 11 messages exchanged and I
>> do
>> not want to query SQL each time and it degrades performance.
> 
>   You already said that.
> 
>> - find the user/machine in SQL, compare check attributes and respond with
>> reply attributes based on SQL data.
> 
>   You already said that.
> 
>> If SQL is down or some other SQL
>> connection failure then DO NOT RESPOND.
> 
>   You already said that.
> 
>   I already said that this pointless.  If SQL is down, why the heck are
> you doing 10-11 EAP packets?  It makes no sense.
> 
>> If user/machine is not found in SQL DB or check attributes do not match
>> reject, otherwise accept.
> 
>   That's how the server works.
> 
>> Your suggestion with sql.authorize in post-auth section "almost" works,
>> the
>> only problem is we need not to respond when SQL is down.
> 
>   Did you bother to read the REST of my message, saying how you could
> accomplish this?
> 
>> Because otherwise
>> RADIUS might respond with Access-Accept and won't send the needed reply
>> attributes when SQL is unavailable.
>> Could you please change the code if there is not other neat way around to
>> still use "do_not_respond" policy in post-auth section?
> 
>   No.
> 
>> Maybe in event.c you could check if control is set not to respond and
>> then
>> drop the packet?
> 
>   No.
> 
>   Read my previous message again.  There is a way to do this without
> modifying the server code.
> 
> The solution with a shell script that tests SQL server periodically and
> kills/restart RADIUS daemon is not very neat. 
> Also if polling interval is too low we might miss DB failure if too high
> it will introduce unnessary load on DB
> If you already have the capability not to respond, why it can't be used in
> POST-AUTH?
> Why you can't just check something like this?
> vp = pairfind(request->config_items,
>                                       PW_RESPONSE_PACKET_TYPE);
>                 if (vp && vp->vp_integer == 256) {
>                         request->reply->code = 0;
>                 }
> 
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: http://www.nabble.com/EAP-TLS-performance-SQL-backend-bottleneck-tp25386668p25401732.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

More information about the Freeradius-Users mailing list