(RADIATOR) How many <Handlers> do you have?

Dave Kitabjian dave at netcarrier.com
Wed Jan 12 15:44:39 CST 2005


Sounds pretty intense.

Without giving it too much thought, I'll share the following comments.

I agree that a separate Handler for each realm is poor both for
performance reasons and for maintainability. You don't want to be
modifying your config file every 10 minutes because a realm is being
added or removed from your system.

Since most of your complexity is from multiple realms, let's get
specific realms out of the config file. Add a PreProcessingHook which
queries a separate SQL database to find out "what to do" with the realm
of the current packet. Based on the results from the database, have the
hook add one (of hopefully only a few) custom RADIUS Attributes to the
request. Then use one default realm handler. In that Handler, you can
decide whether to proxy or whatever based on that attribute.

Then you can just manage the huge list of realms by changes to the SQL
database, and your config file can remain rather static. 

Thoughts?

Dave

> -----Original Message-----
> From: miko at yournetplus.com [mailto:miko at yournetplus.com]
> Sent: Wednesday, January 12, 2005 6:33 AM
> To: Frank Danielson
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) How many <Handlers> do you have?
> 
> Essentially we operate several radius machines that authenticate from
> major backbone carriers. Each of these machines has anywhere from
eighty
> to several hundred realms that it auths, many of which operate
subrealms
> as I described previously. Our radius boxes handle these realms in
> different fashions, some are proxied to downstreams and others are
handled
> in databases, and some are handled using other authby systems.
> 
> Our goal is to merge these systems together so that we do not have to
> maintain as many systems, thus we end up having a few thousand realms
> total that need to be handled... We also auth based on not only realm
but
> also prefixes of the username being authed, which is what originally
> prompted me to use handlers...
> 
> -Miko
> 
> <----- Original Message ----->
> From: Frank Danielson <fdanielson at csky.com>
> To: miko at yournetplus.com, radiator at open.com.au
> Sent: Wednesday, January 12, 2005 6:09:30 PM
> Subject: (RADIATOR) How many <Handlers> do you have?
> > Hi Miko-
> >
> > What are you planning to do inside all these handlers? Are you
proxying
> the
> > requests to a downstream server, authorizing against a database, or
> > something else?
> >
> > Since Hugh has already established that 4000 handlers is not a good
idea
> and
> > you've established that realms probably won't work either, how about
> giving
> > us the whole scenario and maybe someone on the list will have a good
> idea or
> > has already solved a similar problem?
> >
> > -Frank
> >
> > -----Original Message-----
> > From: miko at yournetplus.com [mailto:miko at yournetplus.com]
> > Sent: Wednesday, January 12, 2005 3:29 AM
> > To: Hugh Irvine
> > Cc: radiator at open.com.au
> > Subject: Re: (RADIATOR) How many <Handlers> do you have?
> >
> >
> > Unfortunately we cannot use SQLRadius or Realm clauses because we
need
> to
> > be able to support other attributes besides the realm and the realms
> that
> > we have must also support subrealms (ie. sub.realm.com) without the
> > configuration knowing what the sub portion of the realm is. At
present I
> > only know to that with regular expressions in a Handler clause...
> >
> > -Miko
> >
> > <----- Original Message ----->
> > From: Hugh Irvine <hugh at open.com.au>
> > To: "miko at yournetplus.com" <miko at yournetplus.com>
> > CC: radiator at open.com.au
> > Sent: Wednesday, January 12, 2005 1:10:15 AM
> > Subject: (RADIATOR) How many <Handlers> do you have?
> >
> >>Hello Miko -
> >>
> >>A configuration with 4000-5000 Handlers is not a good idea.
> >>
> >>If you need to do this because of many target radius proxy hosts I
> >>generally recommend a single Handler with an AuthBy SQLRADIUS
clause.
> >>
> >>If this is to cope with many different Realms then you should just
use
> >>Realm clauses which are _much_ faster than Handlers.
> >>
> >>Perhaps if you give me a bit more detail I can try to make some
> >>suggestions.
> >>
> >>Otherwise we are available on a contract basis for design,
installation
> >>and training.
> >>
> >>regards
> >>
> >>Hugh
> >>
> >>
> >>On 11 Jan 2005, at 17:01, miko at yournetplus.com wrote:
> >>
> >>
> >>>Has anyone experienced any issue, or can think of any issue with
> >>>running a large # of Handlers in a config file???
> >>>
> >>>At present we have the potential for having about 4000-5000 in a
new
> >>>config I am wanting to implement, but I'd like to know that
Radiator
> >>>can handle this before I do it...
> >>>
> >>>-Miko
> >>>
> >>>--
> >>>Archive at http://www.open.com.au/archives/radiator/
> >>>Announcements on radiator-announce at open.com.au
> >>>To unsubscribe, email 'majordomo at open.com.au' with
> >>>'unsubscribe radiator' in the body of the message.
> >>>
> >>>
> >>
> >>NB:
> >>
> >>Have you read the reference manual ("doc/ref.html")?
> >>Have you searched the mailing list archive
> >>(www.open.com.au/archives/radiator)?
> >>Have you had a quick look on Google (www.google.com)?
> >>Have you included a copy of your configuration file (no secrets),
> >>together with a trace 4 debug showing what is happening?
> >>
> >
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> 
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list