On Wed, 2003-05-28 at 12:40, Pieter Droogendijk wrote: > Greetings, > > I'm facing an odd problem at the moment. > > The ISP i work for has it's own radius servers, however we don't own the CVX. The > company that owns the CVX decided that it would be a good idea to automatically > reject a dialup connection if the connection process (which, of course, includes our > radius servers) takes longer then 6 seconds. And this poses a problem.
On a CVX, the default radius timeout is set to 3 seconds with 3 retries per radius server, but this is apart from the time the rest of the connection setup takes. The modem connect-timeout defaults to 60000 milliseconds and the ppp-modem EstablishTimeLimit defaults to 120000 msec. This can be seperately configured for isdn and analog modems. With these settings we don't have any problems. Do you have a backup radiusserver configured at the CVX? I'm not sure which timeout you're pointing to, I guess the radius timeout. Regards, Chris > The solution we came up with, in the first place, was to disable the password > authentication. The new systems (which use freeradius) however, should include > authentication as well. But since the overall timeout is only 6 seconds, and the > LDAP gets some extreme loads at certain times, we can't reach that. > > I just benchmarked the server with an ldap timeout of 2 seconds (all three ldap > timeouts that is), and 10% of 500.000 requests were rejected because of the timeout, > which is unacceptable. > > What I need is something in between the two solutions; REJECT if the authorization > takes longer then X seconds, ACCEPT if the password authentication takes longer then > Y seconds, or send an ACCEPT or REJECT according to succesful authorization and > authentication responses, where X+Y<6. > > Is there any valid way, besides patching the ldap module to make the return value at > timeouts configurable, that would solve this problem? Maybe someone has another > solution? > > Thanks in advance, > > Pieter Droogendijk > > -- > There is an old time toast which is golden for its beauty. > "When you ascend the hill of prosperity may you not meet a friend." > -- Mark Twain > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
