Degradation of service when authentication fails with Windows AD

Alan DeKok aland at deployingradius.com
Mon Feb 11 14:03:04 CET 2013 

Antonio Alberola wrote:
> I have a mail server where users are validated with local accounts (UNIX) or
> against a Windows AD. For this reason we use Radius. Sometimes the Radius
> server fails and stops authentication for everybody. In that point the logs
> that I sent to you appear. I need to restart Radius in order to it works
> again.

  The RADIUS *server*, or the entire machine?  You've been vague as to
what you mean.  Please be precise.  It's the only way we can help you.

> When we monitored the network and one of the Windows AD we could confirm
> that requests from Radius don't reach the AD, because they don't leave
> Radius.

  Again, the RADIUS *server* doesn't contact AD.  It's another component
on the same machine.  Maybe Kerberos, maybe Samba.  Have you tried to
find out *which* component is causing the problem?

> We believe that connectivity between Radius and AD is correct, they
> are on the same LAN and the AD continues to validate correctly even when
> Radius is failing.

  That doesn't mean much.  It's nice, but the problem could be somewhere
else.

  i.e. I've seen people put firewalls between the RADIUS server and a
database.  The firewall then drops the database connections RADIUS
started.  So RADIUS gets blocked.  But you can still ping the DB from
the RADIUS machine.  And new connections work fine.

> From my point of view, for any reason, Radius receives requests that it can
> not manage, because of the AD, the network or whatever. These requests keep
> waiting and the buffer fills completly. I don't know why these requests are
> not removed from the queue and the buffer is cleared in order to allow new
> request.

  Because FreeRADIUS doesn't implement *EVERYTHING* itself.  It relies
on libraries / other programs for AD connectivity.  If those libraries
block, the underlying APIs often don't *allow* FreeRADIUS to detect that
and recover.

  You need to stop blaming FreeRADIUS.  It's preventing you from finding
out what the real problem is.

  Again, it's like you're trying to drive a car with no petrol in it.
You're stuck looking at the gauge in front of you.  You're thinking you
may need to replace it.  All the time we're trying to tell you PUT MORE
PETROL IN THE TANK.

  Start paying attention to the responses on this list.  It's the only
way you'll get the problem solved.

  Alan DeKok.

More information about the Freeradius-Users mailing list