Degradation of service when authentication fails with Windows AD

Antonio Alberola aalberola at
Wed Feb 6 13:19:40 CET 2013


>> I'm having random authentication failures and I think they are due to 
>> a Radius server internal failure. I use Radius for authenticating the 
>> email of users in Windows Active Directory via PAM. Before I used NTLM 
>> and Kerberos together, and now I use PAM.
> This is confusing. FreeRADIUS is calling the "pam" module, yes? So what is
the PAM stack calling?

That's correct. I need RADIUS for authenticating POSTFIX users because the
authentication depends on the POSTFIX users, via PAM (WINDOWS AD) or UNIX
account. I also have many WINDOWS Domain and we need send the credentials to
the correct one.

> In short: the problem you are experiencing with FreeRADIUS is because
> your authentication mechanism (PAM) is taking too long to respond.
> This is consuming all threads in the pool, which explains the log messages
you see. 
> Fix the PAM stack to fail over properly, and this problem will go away.

I understand that the PAM mechanism is slow, some domains more than others.
But, I don't understand why RADIUS doesn't clean this request with some
timeout mechanisms. It's very simple to create a script for crashing the
server with a DoS attack. I need a configuration parameter to deny the
request if PAM module doesn't respond on time.
Why es RADIUS server accepting duplicate requests for queries that have
already been sent to it? This is the cause of all threads are busy, correct?

More information about the Freeradius-Users mailing list