[RADIATOR] Increase tacacs performance
Schnurrenberger Tobias (ID)
tobias.schnurrenberger at id.ethz.ch
Mon Mar 6 06:15:13 UTC 2023
Dear Heikki
This is great, your suggestions solved the problem!
> When AllowAuthorizeOnly is set, Radiator triggers an Access-Request that
> has 'Service-Type = Authorize-Only' but no User-Password attribute. In
> your case you could catch these requests with a specific Handler and
> then run the 'authorizeSQL' AuthBy only within this new Handler.
>
> When you know you can handle 'Service-Type = Authorize-Only' TACACS+
> derived access requests, you can enable FarmSize on the frontend.
With the first step Authorization-Only in the backend and a FarmSize of 8 in the frontend the TCP errors dropped from approx. 1000 to 100 per second. With a doubling of the FarmSize to 16 they decreased again but stayed on a level of approx. 50/s.
We observed that the CPU load was still on 100% on all cores for 2-3 seconds. Thus we also doubled the count of virtual CPUs from 8 to 16 and with this step the errors are finally gone. The "tacacs server unreachable" logs on the clients (switches & routers) have also disappeared completely.
This is the config we added:
FRONTEND (before <Client ...> section:
FarmSize 16
DupCache shared
DupCacheFile /var/run/radius/rad_auth-tacacs-frontend-%0
BACKEND (before default <Handler> section:
<Handler Service-Type=Authorize-Only>
Identifier TacacsAuthorizeOnly
AuthByPolicy ContinueWhileAccept
AuthBy SQLauthorizeTAC
AuthBy InternalReply
RejectHasReason
AuthLog authlog-tacacs
</Handler>
Thank you and best regards,
Tobias
-------------------------------------------------------
ETH Zürich
Tobias Schnurrenberger
ID INFRA Network Applications
Binzmühlestrasse 130
8092 Zürich
tobias.schnurrenberger at id.ethz.ch
-------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4222 bytes
Desc: not available
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20230306/c736fb24/attachment.p7s>
More information about the radiator
mailing list