Hello,
I would like to know if OpenSER supports some type of authentication credentials caching, to improve the performance when a non-local authentication service (i.e. RADIUS) is used. If it is not supported, are there any plans to include this functionality in future versions?
Bests, JB _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Hi John,
Credential caching is not support - for any of the backends (radius or sql). As far as I know, there are no plans for caching yet... Mainly because the fetching the passwd from DB is combined in a single query with caller profile fetching - see the "load_credentials" module param in auth_db module.
Regards, Bogdan
John Barry wrote:
Hello,
I would like to know if OpenSER supports some type of authentication credentials caching, to improve the performance when a non-local authentication service (i.e. RADIUS) is used. If it is not supported, are there any plans to include this functionality in future versions?
Bests, JB _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ _______________________________________________ Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
Bogdan-Andrei Iancu writes:
Credential caching is not support - for any of the backends (radius or sql). As far as I know, there are no plans for caching yet... Mainly because the fetching the passwd from DB is combined in a single query with caller profile fetching - see the "load_credentials" module param in auth_db module.
yes, when i radius authenticate a user, the reply contains lots of user attributes as reply items. these attributes can change any time and thus cannot be cached.
-- juha
El Lunes, 18 de Febrero de 2008, Juha Heinanen escribió:
Bogdan-Andrei Iancu writes:
Credential caching is not support - for any of the backends (radius or sql). As far as I know, there are no plans for caching yet... Mainly because the fetching the passwd from DB is combined in a single query with caller profile fetching - see the "load_credentials" module param in auth_db module.
yes, when i radius authenticate a user, the reply contains lots of user attributes as reply items. these attributes can change any time and thus cannot be cached.
In fact I think that the only caching making sense would be directly in the final backend (DB, Radius, LDAP..).
Does anyone know of any Cacti templates for graphing the data from SNMPStats? I couldn't find anything with Google...
Thanks in advance.
Michael Young
No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.7/1285 - Release Date: 2/18/2008 5:50 AM
Iñaki Baz Castillo schrieb:
El Lunes, 18 de Febrero de 2008, Juha Heinanen escribió:
Bogdan-Andrei Iancu writes:
Credential caching is not support - for any of the backends (radius or sql). As far as I know, there are no plans for caching yet... Mainly because the fetching the passwd from DB is combined in a single query with caller profile fetching - see the "load_credentials" module param in auth_db module.
yes, when i radius authenticate a user, the reply contains lots of user attributes as reply items. these attributes can change any time and thus cannot be cached.
In fact I think that the only caching making sense would be directly in the final backend (DB, Radius, LDAP..).
FYI: I think the original question refers to IMS, where the S-CSCF can retrieve pre-calculated nonces and responses from the diameter server to avoid diameter requests for each authentication.
klaus
Hello all,
Thank you for your responses.
Indeed, I was thinking about a caching mechanisms similar to the one used in IMS, as Klaus described in the previous post.
If I store in a memory structure the authentication credentials (i.e. user and password) following some cache policy, I could use this structure to check if the user exists and check his/her identity without having to contact a remote database/radius server (where network latency typically is a bottleneck). If the user credentials are not in the cache, then OpenSER will contact the database/radius server to authenticate the user (normal procedure).
Maybe I am oversimplifying the problem. Could you help me to understand better why this is not possible?
Thanks, JB
Klaus Darilion-2 wrote:
Iñaki Baz Castillo schrieb:
El Lunes, 18 de Febrero de 2008, Juha Heinanen escribió:
Bogdan-Andrei Iancu writes:
Credential caching is not support - for any of the backends (radius
or
sql). As far as I know, there are no plans for caching yet... Mainly because the fetching the passwd from DB is combined in a single query with caller profile fetching - see the "load_credentials" module
param
in auth_db module.
yes, when i radius authenticate a user, the reply contains lots of user attributes as reply items. these attributes can change any time and thus cannot be cached.
In fact I think that the only caching making sense would be directly in the final backend (DB, Radius, LDAP..).
FYI: I think the original question refers to IMS, where the S-CSCF can retrieve pre-calculated nonces and responses from the diameter server to avoid diameter requests for each authentication.
klaus
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
JB74 writes:
If I store in a memory structure the authentication credentials (i.e. user and password) following some cache policy, I could use this structure to check if the user exists and check his/her identity without having to contact a remote database/radius server (where network latency typically is a bottleneck). If the user credentials are not in the cache, then OpenSER will contact the database/radius server to authenticate the user (normal procedure).
Maybe I am oversimplifying the problem. Could you help me to understand better why this is not possible?
jb,
what you describe is, of course, possible (unless user changes his/her password and cached credential don't work anymore) if your intention is JUST to authenticate the user.
if you read openser the radius authentication, you'll notice that authentication query may also return reply items that cause AVPs to be setup. for me these reply items are extremely important, because they contain all kinds of attributes associated with the authenticated user and his/her uri, and, due to they changing nature, it is not possible to cache them.
hope this explains why caching of credentials does not help to save the radius query.
-- juha
Caching authentication credentials surely speeds up the SIP digest authentication process a little bit. At the same time, it introduces a state synchronization issue because the credential database's state may differ from the credential cache state. What happens if I change a password in the database? Does it trigger a cache update?
In my opinion, these issues together with added code complexity outweigh the slight speed improvements resulting from a credential cache. Performance measurements with mysql and ldap backend have shown that openser can handle a huge number of authenticated SIP requests (>300 cps on dual xeon) without caching of auth credentials.
/Christian
JB74 wrote:
Hello all,
Thank you for your responses.
Indeed, I was thinking about a caching mechanisms similar to the one used in IMS, as Klaus described in the previous post.
If I store in a memory structure the authentication credentials (i.e. user and password) following some cache policy, I could use this structure to check if the user exists and check his/her identity without having to contact a remote database/radius server (where network latency typically is a bottleneck). If the user credentials are not in the cache, then OpenSER will contact the database/radius server to authenticate the user (normal procedure).
Maybe I am oversimplifying the problem. Could you help me to understand better why this is not possible?
Thanks, JB
Klaus Darilion-2 wrote:
Iñaki Baz Castillo schrieb:
El Lunes, 18 de Febrero de 2008, Juha Heinanen escribió:
Bogdan-Andrei Iancu writes:
Credential caching is not support - for any of the backends (radius
or
sql). As far as I know, there are no plans for caching yet... Mainly because the fetching the passwd from DB is combined in a single query with caller profile fetching - see the "load_credentials" module
param
in auth_db module.
yes, when i radius authenticate a user, the reply contains lots of user attributes as reply items. these attributes can change any time and thus cannot be cached.
In fact I think that the only caching making sense would be directly in the final backend (DB, Radius, LDAP..).
FYI: I think the original question refers to IMS, where the S-CSCF can retrieve pre-calculated nonces and responses from the diameter server to avoid diameter requests for each authentication.
klaus
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
-
Bogdan-Andrei Iancu -
Christian Schlatter -
Iñaki Baz Castillo -
JB74 -
jh@tutpro.com -
John Barry
-
Klaus Darilion -
Michael Young