CPU intensize authorization module issue

Alan DeKok aland at deployingradius.com
Thu Mar 27 18:52:00 CET 2014

Yannick Koehler wrote:
> While I do agree with you, working on the SQL aspect is not a
> possibility in this case.  It also first appeared that invoking any
> external code only when its outcome will be meaningful is more
> appropriate and easier to do.  And if Stefan suggestion works, it would
> then be true.

  It will be easy and will help.  It won't solve the problem.  The long
SQL queries may cause new problems in the future.

> In any case, it does appear illogical to request 4-5 times the same
> query (independentely of their time taken to execute) to an SQL database
> and discard its result each time based on a username that is not yet
> validated (not the inner-tunnel username) and may not be the correct one. 

  You *can* edit the configuration files.  That's why they're text.

  The default configuration is meant to work in as many situations as
possible.  This includes people who don't use EAP.  And people who have
functional SQL servers.

  We expect that you understand the configuration you're using.  If the
configuration is imperfect, then change it.

  I'll note that running the server in debugging mode would have shown
you what was happening.  The solution would then have been fairly obvious.

  There's a reason we always suggest debugging mode.  It is impossible
to create "howtos" for every RADIUS configuration.  Instead, we give
guidelines for how to configure the server, and we show you what the
server is doing.  The next step is to understand your configuration, and
optimize it.

  Alan DeKok.

More information about the Freeradius-Users mailing list