Upstream NAS flooding my radius

Fajar A. Nugraha list at fajar.net
Thu Dec 15 03:26:02 CET 2011


On Thu, Dec 15, 2011 at 9:11 AM, Nathan M <locu.lists at gmail.com> wrote:
> I have a setup such as:
>
> NAS >  Freeradius Proxy > Freeradius Auth
>
> Periodically the NAS (different company and outside of my control)
> gets rebooted and when it starts up it sends thousands of simultaneous
> requests to the radius proxy, which in turn forwards them all to the
> appropriate freeradius auth server.  The challenge is, the auth server
> can get overwhelmed and starts throwing some of these errors:
>
> Error: rlm_sql (sql): There are no DB handles to use!
>
> I'm curious if there's an elegant way on the freeradius proxy to rate
> limit the # of connections per second being thrown at the auth server.
>  Ideally if the threshold is reached, requests above the threshold
> would be dropped (and not rejected).  I've searched all the docs, the
> mailing list, and config files and haven't turned up a solution yet.

Why would you want it dropped? The NAS would then resend the request,
causing even MORE load to your server. It's better to just reject it
immediately.

The best options I can give right now is either:
- just accept it. There's no magic setting that would automagically
make your problem go away. OR,
- use a fast backend. If you use files for authentication, AND
accounting to detail file, AND don't activate any kind of simultaneous
check, it's easy to get several thousand auth/s. OR
- make your db faster. It might involve hiring a qualified DBA &
sysadmin, or implementing mysql cluster, or buying something like
http://www.clustrix.com/products/

-- 
Fajar




More information about the Freeradius-Users mailing list