Greetings,
I'm facing an odd problem at the moment.
The ISP i work for has it's own radius servers, however we don't own the CVX. The
company that owns the CVX decided that it would be a good idea to automatically reject
a dialup connection if the connection process (which, of course, includes our radius
servers) takes longer then 6 seconds. And this poses a problem.
The solution we came up with, in the first place, was to disable the password
authentication. The new systems (which use freeradius) however, should include
authentication as well. But since the overall timeout is only 6 seconds, and the LDAP
gets some extreme loads at certain times, we can't reach that.
I just benchmarked the server with an ldap timeout of 2 seconds (all three ldap
timeouts that is), and 10% of 500.000 requests were rejected because of the timeout,
which is unacceptable.
What I need is something in between the two solutions; REJECT if the authorization
takes longer then X seconds, ACCEPT if the password authentication takes longer then Y
seconds, or send an ACCEPT or REJECT according to succesful authorization and
authentication responses, where X+Y<6.
Is there any valid way, besides patching the ldap module to make the return value at
timeouts configurable, that would solve this problem? Maybe someone has another
solution?
Thanks in advance,
Pieter Droogendijk
--
There is an old time toast which is golden for its beauty.
"When you ascend the hill of prosperity may you not meet a friend."
-- Mark Twain
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
