[RADIATOR] Slow Auth process

Heikki Vatiainen hvn at open.com.au
Thu Apr 28 13:14:07 UTC 2022 

On 27.4.2022 14.10, misanthrope at sapo.pt wrote:

> Trying to implement a MFA with offband token validation.
> 
> The validation phase, between receiving a SMS, opening the web page and 
> clicking the validation link, can take from a couple of seconds to 30s 
> where the radius auth process is waiting to either ACCEPT or REJECT.
> 
> So, the solutions to allow for other authentications to happen at the 
> same time are:
> 
> 1. we set a FarmSize other than 0, but we break the use of Context and 
> so multiple auth methods stop working, or
> 2. we Fork the authentication process where the validation happens 
> (AuthBy SMSToken)

You're correct, the above cause a problem because of multi-round 
authentication that needs state information on the server.

https://blog.radiatorsoftware.com/2019/06/grouping-and-controlling-multiple.html

> <Handler ...>
>      AuthByPolicy ContinueUntilReject
>      <AuthBy GROUP>
>          AuthByPolicy ContinueUntilAccept
>          AuthBy NTLM_DOM_A
>          AuthBy NTLM_DOM_B
>          AuthBy NTLM_DOM_C
>      </AuthBy>
>      AuthBy SMSToken
>      AuthBy DynPool_this
> </Handler>

You could consider this option:
- create a new configuration with just the current AuthBy SMSToken
- use BindAddress to limit the configuration to use 127.0.0.1, the 
loopback interface.
- start 2, 3 or more instaces, all with separate AuthPort
- Update the above configuration so that it uses <AuthBy HASHBALANCE> to 
proxy to the new loopback bound instances
- remember to add Asynchronous flag for hash balance config. See example 
in Radiator 4.26 goodies/proxyalgorithm.cfg

In other words: create separate workers that do just AuthBy SMSToken. 
Use hash balance, based on User-Name, Calling-Station-Id or other 
attribute, to determinstically proxy to the loopback bound instance that 
holds the state for the authentication.

For an easy way to start multiple instances of Radiator, see here:
https://blog.radiatorsoftware.com/2019/06/grouping-and-controlling-multiple.html

Please let us know how it goes.

Thanks,
Heikki

-- 
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software

More information about the radiator mailing list