[RADIATOR] Top level radius servers problems

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Wed May 25 03:39:10 CDT 2011 

Hi,

>    If this was a problem related to the client running out of ID REQUEST
>    where can I look on the logs for a warning or something alerting that this
>    is happening?

welcome to the party. in the UK we have seen this issue to - and it doesnt take
that much until the server is all backlogged up and then other people to other
RADIUS servers get all messed up too. 

>    And what are the recommendations to solve this kind of problem?

from looking at the behaviour and working out the 'hit' that the RADIATOR
daemon takes for different issues I have found that dealing with incorrect
names (people sending junk to the national proxy) whilst annoying, a Reject
is quite 'cheap' for resources...its done quick and clears the socket for
use. a non responsive homesite causes the daemons UDP socket pipe to fill and disrupts
service for others...so, we recommend that sites have at least 2 RADIUS servers
(for resiliency) and have local monitoring so that they can see that their
site has issues..... its amazing how many still have just 1 RADIUS
server and no monitoring for it (!)  :-(


the 'fix' that I have done is to implement a handler in the AuthBy clause for
noresponse - similar to the one supplied in goodies.txt - but not failing back to UNIX
local handler etc - therefore the user trying to connect to an unresponsive site
is just rejected.  whilst not the best ultimate solution (their dumb client will
say something like 'wrong password' or such - it does stop the requests whacking
the server....up until the server is ready to retry the home site - about 60 seconds 
IIRC from our config. 

the OTHER issue - which I will be raising at higher level is that sites have got their NAS
kit bvadly configured - when this event happens we see thousands of requests for those
users coming in - the visited site should have EAP login limits on their NAS to stop brute-force
etc attacks - eg 3 logins in 60 seconds for a client etc.  instead it looks like the kit
just keeps going anf going and going. relentless  :-(

I can provide you config/snippet etc - and after discussion I hope for this (and a non related
FreeRADIUS config snippet I did for Japan earlier this week) to be in the european
eduroam wiki

alan

More information about the radiator mailing list