Degradation of service when authentication fails with Windows AD

Phil Mayers p.mayers at imperial.ac.uk
Wed Feb 6 13:39:19 CET 2013


On 06/02/13 12:19, Antonio Alberola wrote:

> I understand that the PAM mechanism is slow, some domains more than others.
> But, I don't understand why RADIUS doesn't clean this request with some
> timeout mechanisms. It's very simple to create a script for crashing the
> server with a DoS attack. I need a configuration parameter to deny the
> request if PAM module doesn't respond on time.

The PAM APIs are synchronous, and don't offer timeout options. It's not 
possible to timeout a PAM call; FreeRADIUS is entirely at the mercy of PAM.

Don't use PAM, it's not suitable for your needs. Use "ntlm_auth", and 
FreeRADIUS can timeout the call.


> Why es RADIUS server accepting duplicate requests for queries that have
> already been sent to it? This is the cause of all threads are busy, correct?

No. FreeRADIUS is *logging* that duplicates arrived. It doesn't process 
them, because they're duplicates. But it logs them, because duplicates 
are a symptom of too-slow authentication.


More information about the Freeradius-Users mailing list