Degradation of service when authentication fails with Windows AD

Phil Mayers p.mayers at imperial.ac.uk
Mon Feb 11 13:32:52 CET 2013


On 11/02/13 11:23, Antonio Alberola wrote:

> When we monitored the network and one of the Windows AD we could confirm
> that requests from Radius don't reach the AD, because they don't leave
> Radius. We believe that connectivity between Radius and AD is correct, they
> are on the same LAN and the AD continues to validate correctly even when
> Radius is failing.

Let me put this as simply as possible, but I'm getting tired of 
repeating myself:

Do not use PAM. PAM APIs are blocking. If PAM or an underlying module 
hangs, the thread in FreeRADIUS will hang. If you keep receiving 
authentication requests, eventually the entire thread pool will be blocked.

Do not use PAM.

Is this clear?

>
>  From my point of view, for any reason, Radius receives requests that it can
> not manage, because of the AD, the network or whatever. These requests keep
> waiting and the buffer fills completly. I don't know why these requests are
> not removed from the queue and the buffer is cleared in order to allow new
> request. In this way we could avoid that request to the rest of the AD fail
> because of a particular AD.

Because FreeRADIUS doesn't work that way. It uses a thread pool (of 
finite size) to process requests in a blocking fashion. If the API or 
intermediate system it calls blocks forever, FreeRADIUS blocks forever, 
and if you keep receiving requests, eventually your entire thread pool 
will be exhausted.

FreeRADIUS cannot timeout synchronous C API calls. This is impossible to 
do safely in POSIX.

Is this clear?

Only a few FreeRADIUS modules can "timeout" requests. The "exec" module 
(and functionality built on top of it) is one of them.

Therefore, you should be using "exec" wrapping "ntlm_auth" from Samba.

Unfortunately, the "exec" timeout is hard-coded in the source at 10 
seconds. Therefore, depending on your load, you might still suffer 
thread pool exhaustion. But it will self-correct, because the requests 
will eventually time out.

I hope I had made myself clear.

Regards,
Phil


More information about the Freeradius-Users mailing list