Radius experience... was Re: [Serusers] "Best practice" document
Klaus Darilion
klaus.mailinglists at pernau.at
Mon Feb 21 10:11:42 CET 2005
Hi Greger!
Greger V. Teigre wrote:
...
> Agree. We use RADIUS-based authentication and authorization with
> distributed RADIUS servers. Only usrloc is stored in mysql (we use
I want to ask about your radius experiences. We (www.at43.at) are also
using radius authentication. All the radius requests are sent to a local
radius proxy which forwards the request to the radius server of the
participating groups (universities, schools ...).
If one of the remote radius servers is down, we are having problems with
ser. Ser's threads are busy, waiting for the radius authorization
responses and ser is slowing done. Then, the client starts to retransmit
their REGISTER messages and ser is getting busier and busier until all
threads are busy with authentication requests. Thus, the complete
service will be down only if one of the radius servers is down.
We have reduced the proxy load by replying "100...trying" to all
REGISTER requests, which reduces retransmissions in case of slow
authentication. We also tried to tweak the radius retransmission and
timeout settings but could not find a satisfying solution yet.
Do you also have problems in your distributed radius setup? Maybe you
could post a little about your experience with distributed radius.
All other radius users are also welcome to post their radius experiences.
regards,
klaus
PS: I hope Maxim's patch for stateful authentication is going into 0.9.0
More information about the sr-users
mailing list