CPU intensize authorization module issue

Stefan Winter stefan.winter at restena.lu
Thu Mar 27 15:21:19 CET 2014 

Hi,

> But if I put it under inner-tunnel/authorize will it still work with
> PAP/CHAP (without 802.1x) and EAP-MD5 and others which are not using an
> inner-tunnel?  Since I can't known in advance when each will be used. 
> It is my understanding that for those without inner-tunnel I need to put
> the code in the main authorize as well as within the inner-tunnel, which
> will result in expensive SQL calls when 802.1x will be used because the
> main global authorize will then be invoked.

Well, you could have mentioned in your initial post that you are also
considering non-EAP scenarios. You didn't, so my reply was limited to EAP.

If you do non-EAP, then yes, your module needs to be in
default/authorize - but it can be skipped if there *is* an EAP-Message
attribute in the request.

Something like this inside default/authorize should do (v2; probably
also works on v3):

if (!EAP-Message) {
	your_module
}

Depending on your setup, you could also work with different virtual
servers; instead of having "default", make it "default-eap" and
"default-other"; one has your module in authorize, the other not. You
then need to make sure that the non-EAP clients are processed by the
default-other virtual server and vice versa.

Greetings,

Stefan Winter

> 
> 
> 
> 2014-03-27 8:58 GMT-04:00 Stefan Winter <stefan.winter at restena.lu
> <mailto:stefan.winter at restena.lu>>:
> 
>     Hi,
> 
>     this is a usage question, redirecting to -users.
> 
>     You should call your module only in innner-tunnel/authorize, not in the
>     outer request (default/authorize).
> 
>     Greetings,
> 
>     Stefan Winter
> 
>     On 27.03.2014 13 <tel:27.03.2014%2013>:53, Yannick Koehler wrote:
>     > Hi,
>     >
>     >   I have an authorization module to write for FreeRADIUS that does a
>     > fair amount of CPU intensive SQL queries 1-2 seconds time.  But the
>     > problem is that when a 802.1x authentication is occuring this event
>     > occurs many times 4-5 times at each reception of RADIUS Access
>     Request.
>     > Also, at that time the username is not the final one (normally the
>     final
>     > one is sent within the MSCHAPv2 from within the TLS tunnel used by
>     PEAP
>     > or EAP-TLS or EAP-TTLS).
>     >
>     >   Is there a way for my authorization module to trigger the work to be
>     > done only if EAP is at the stage of handling the internal
>     > authentication? Can for example my module communicate with the EAP
>     > module and look at an internal flag somewhere to know if the TLS
>     tunnel
>     > has been completed?
>     >
>     >  I would like the following:
>     >
>     >    Access Request (EAP identity response) -> authorization module - no
>     > CPU intensive
>     >    <-- Access Challenge (EAP TLS Server Hello)
>     >
>     >    Access Request (EAP TLS Client Hello) -> authorization module - no
>     > CPU intensive
>     >    <-- Access Challenge
>     >
>     >   etc. until TLS is established
>     >
>     >    Access Request (EAP TLS MSCHAPv2) -> authorization module - CPU
>     > intensive query
>     >    <-- Access Accept
>     >
>     > --
>     > Yannick Koehler
>     >
>     >
>     >
>     > -
>     > List info/subscribe/unsubscribe? See
>     http://www.freeradius.org/list/devel.html
>     >
> 
> 
>     --
>     Stefan WINTER
>     Ingenieur de Recherche
>     Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
>     de la Recherche
>     6, rue Richard Coudenhove-Kalergi
>     L-1359 Luxembourg
> 
>     Tel: +352 424409 1 <tel:%2B352%20424409%201>
>     Fax: +352 422473 <tel:%2B352%20422473>
> 
>     PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
>     recipient's key is known to me
> 
>     http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> 
> 
> 
> 
> -- 
> Yannick Koehler
> Courriel: yannick at koehler.name <mailto:yannick at koehler.name>
> Blog: http://corbeillepensees.blogspot.com


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8A39DC66.asc
Type: application/pgp-keys
Size: 3243 bytes
Desc: not available
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140327/a30459bf/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140327/a30459bf/attachment.pgp>

More information about the Freeradius-Users mailing list