[rbak-nsp] auth storm and problem with freeRadius

David Freedman david.freedman at uk.clara.net
Sat Apr 18 20:25:48 EDT 2009


FreeRadius should be just fine, we use a similar setup and have had to cope with such authentication
"storms" before, if you don't get the access-accept back to the redback in time, LCP auth times out,
the session collapses and user comes back to try again, a quite horrible cycle of events.

The most important thing here is to understand how long an authentication request takes from start to finish, 
this will include everything from FreeRadius getting a database connection to the runtime of all involved queries and then sending back the response.

The longer the authentication request takes, the more likely it is that you will encounter some blocking somewhere.

The most common place to block here is in the database, where you block a freeradius db connection handle because your SQL takes long to execute, it is important therefore that you optimise your SQL as much as possible and configure freeradius with sufficient database handles such to be able to service <n> requests blocking for period of time <x>.

We wrote some software which benchmarks our radius platform by throwing multiple requests at it and seeing how many of these can be serviced at a time.

The other thing to check is that your SEOS AAAD doesn't start throttling and become a bottleneck, you can change the thresholds if this is the case.


------------------------------------------------
David Freedman
Group Network Engineering 
Claranet Limited
http://www.clara.net



-----Original Message-----
From: redback-nsp-bounces at puck.nether.net on behalf of Marcin Kuczera
Sent: Sat 4/18/2009 11:54
To: redback-nsp at puck.nether.net
Subject: [rbak-nsp] auth storm and problem with freeRadius
 
well,

since some time we have some problems with radius, process dies just 
like that (on one server) and on the other stops responding.

let's pick the one that dies:
db:~# dpkg -s freeradius
Package: freeradius
Status: install ok installed
Priority: optional
Section: net
Installed-Size: 1604
Maintainer: Stephen Gran <sgran at debian.org>
Architecture: i386
Version: 2.0.4+dfsg-6
Provides: radius-server

last night, after when I had a problem:
Apr 17 21:14:17: %PPAL2-3-PPPOE_ERR: 
a593028b/0002524333/907900000:02/IPPA/EU00:Failed to allocate memory for 
pppoe throttle node -
0004c20c 0009ae08 0004bee4 0009036e 00098138 00098110 00000000

I did a reload of card #2.
So - all subscribers (pppoe and clips) went down.


After reload all I had a little storm of auth requests.. and - I had to 
start freeradius about 20 times for ~900subcribers (It's just start of 
moving subscribers to redback so - not too much).

Did anyone had such problems and what could help on freeradius side ?

Or - which radius working with postgresql would you recommend ?

Regards,
Marcin

_______________________________________________
redback-nsp mailing list
redback-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/redback-nsp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20090419/069ad15b/attachment.html>


More information about the redback-nsp mailing list