[RADIATOR] Increase tacacs performance

Mon Mar 6 06:15:13 UTC 2023

Dear Heikki

This is great, your suggestions solved the problem!

> When AllowAuthorizeOnly is set, Radiator triggers an Access-Request that 
> has 'Service-Type = Authorize-Only' but no User-Password attribute. In 
> your case you could catch these requests with a specific Handler and 
> then run the 'authorizeSQL' AuthBy only within this new Handler.
> 
> When you know you can handle 'Service-Type = Authorize-Only' TACACS+ 
> derived access requests, you can enable FarmSize on the frontend.

With the first step Authorization-Only in the backend and a FarmSize of 8 in the frontend the TCP errors dropped from approx. 1000 to 100 per second. With a doubling of the FarmSize to 16 they decreased again but stayed on a level of approx. 50/s. 

We observed that the CPU load was still on 100% on all cores for 2-3 seconds. Thus we also doubled the count of virtual CPUs from 8 to 16 and with this step the errors are finally gone. The "tacacs server unreachable" logs on the clients (switches & routers) have also disappeared completely.

This is the config we added:

FRONTEND (before <Client ...> section:
FarmSize 16
DupCache shared
DupCacheFile /var/run/radius/rad_auth-tacacs-frontend-%0

BACKEND (before default <Handler> section:
<Handler Service-Type=Authorize-Only>
Identifier TacacsAuthorizeOnly
AuthByPolicy ContinueWhileAccept
AuthBy SQLauthorizeTAC
AuthBy InternalReply
RejectHasReason
AuthLog authlog-tacacs
</Handler>

Thank you and best regards, 
Tobias

-------------------------------------------------------
ETH Zürich
Tobias Schnurrenberger
ID INFRA Network Applications
Binzmühlestrasse 130
8092 Zürich

tobias.schnurrenberger at id.ethz.ch
-------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4222 bytes
Desc: not available
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20230306/c736fb24/attachment.p7s>