[EXTERNAL] Re: Understanding FreeRADIUS statistics
dominic.stalder at unibe.ch
dominic.stalder at unibe.ch
Tue Jun 25 12:53:23 UTC 2024
Hi Alister
Thanks a lot, great point; did not know, that we have enabled caching until you mentioned it now! I took over the old FreeRADIUS 3.0 configuration from a former University member and this part was completely "ignored" by me. Just checked the mods-enabled folder and voilà:
/etc/freeradius/mods-enabled/cache_eap
#
# Cache EAP responses for resiliency on intermediary proxy fail-over
#
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
update reply {
reply: += &reply:
&control:State := &request:State
}
}
I just read about it here: https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/cache
What I understand:
- key is made of some state variables
- ttl is 15 seconds only
You see, new to this as well. Can I see cached "authentications" in the logs or can I enable the logging for those (/etc/freeradius/mods-enabled/linelog) somehow?
Regards
Dominic
Am 25.06.24, 14:26 schrieb "Freeradius-Users im Auftrag von Winfield, Alister (Senior Solutions Architect) via Freeradius-Users" <freeradius-users-bounces+dominic.stalder=unibe.ch at lists.freeradius.org <mailto:unibe.ch at lists.freeradius.org> im Auftrag von freeradius-users at lists.freeradius.org <mailto:freeradius-users at lists.freeradius.org>>:
Not necessarily…
If it gets the ‘same’ request before the timeout of the already proxied request it might well not proxy it and wait for the other request to return (or timeout) first. Also not knowing your config it could have caching enabled especially ‘reject’ caching which is often seriously beneficial. (not all devices are sane when you tell them to go away).
Alister.
From: Freeradius-Users <freeradius-users-bounces+alister.winfield=sky.uk at lists.freeradius.org <mailto:sky.uk at lists.freeradius.org>> on behalf of dominic.stalder at unibe.ch <mailto:dominic.stalder at unibe.ch> <dominic.stalder at unibe.ch <mailto:dominic.stalder at unibe.ch>>
Date: Monday, 24 June 2024 at 21:51
To: freeradius-users at lists.freeradius.org <mailto:freeradius-users at lists.freeradius.org> <freeradius-users at lists.freeradius.org <mailto:freeradius-users at lists.freeradius.org>>
Subject: [EXTERNAL] Re: Understanding FreeRADIUS statistics
A general question, what is considered as Proxy requests?
As I said: our FreeRADIUS server is acting ONLY as proxy server, so if there are more than (let‘s say) 2000 Access Requests, there should be around 2000 proxy requests counted as well? Maybe a special note: our own realms are only sent to our backend servers in phase 2 of PEAP/MS-CHAPv2. Does this not count as proxy request?
________________________________
Von: Freeradius-Users <freeradius-users-bounces+dominic.stalder=unibe.ch at lists.freeradius.org <mailto:unibe.ch at lists.freeradius.org>> im Auftrag von Alan DeKok <aland at deployingradius.com <mailto:aland at deployingradius.com>>
Gesendet: Monday, June 24, 2024 10:21:10 PM
An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org <mailto:freeradius-users at lists.freeradius.org>>
Betreff: Re: Understanding FreeRADIUS statistics
On Jun 24, 2024, at 3:58 PM, <dominic.stalder at unibe.ch <mailto:dominic.stalder at unibe.ch>> <dominic.stalder at unibe.ch <mailto:dominic.stalder at unibe.ch>> wrote:
> Just to confirm or let you know; I do get " FreeRADIUS-Total-Proxy-Access-Accepts" and " FreeRADIUS-Total-Proxy-Access-Rejects" now / as well, BUT compared to "FreeRADIUS-Total-Proxy-Access-Requests" and "FreeRADIUS-Total-Proxy-Auth-Responses" it is apparently pretty low:
The counters are incremented on packet retransmits, so the number of Access-Requests may be larger than the number of Access-Accepts.
But the numbers should generally be relatively close.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<http://www.freeradius.org/list/users.html><http://www.freeradius.org/list/users.html%3chttp:/www.freeradius.org/list/users.html%3e> <http://www.freeradius.org/list/users.html;>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
--------------------------------------------------------------------
This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by using the report message button in Outlook or sending them as an attachment to phishing at sky.uk <mailto:phishing at sky.uk>. Thank you
--------------------------------------------------------------------
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.
Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
More information about the Freeradius-Users
mailing list