On 28 May 2003 13:11:39 +0200, Chris van Meerendonk wrote: > On Wed, 2003-05-28 at 12:40, Pieter Droogendijk wrote: > > Greetings, > > > > I'm facing an odd problem at the moment. > > > > The ISP i work for has it's own radius servers, however we don't own the CVX. The > > company that owns the CVX decided that it would be a good idea to automatically > > reject a dialup connection if the connection process (which, of course, includes > > our radius servers) takes longer then 6 seconds. And this poses a problem. > > On a CVX, the default radius timeout is set to 3 seconds with 3 retries > per radius server, but this is apart from the time the rest of the > connection setup takes. The modem connect-timeout defaults to 60000 > milliseconds and the ppp-modem EstablishTimeLimit defaults to 120000 > msec. This can be seperately configured for isdn and analog modems. > > With these settings we don't have any problems. Do you have a backup > radiusserver configured at the CVX? I'm not sure which timeout you're > pointing to, I guess the radius timeout.
Yes, the radius timeout. I don't know much about the CVX, I've never been allowed to touch it. All I was told was that the whole radius process can't take longer then 6 seconds, or a connection is terminated. Problem is, it just takes too long to do authorize and authenticate to an ldap. I don't know why, maybe the ldaps are just crap. The things are THE number one bottleneck everywhere. > > Regards, > > Chris > > > The solution we came up with, in the first place, was to disable the password > > authentication. The new systems (which use freeradius) however, should include > > authentication as well. But since the overall timeout is only 6 seconds, and the > > LDAP gets some extreme loads at certain times, we can't reach that. > > > > I just benchmarked the server with an ldap timeout of 2 seconds (all three ldap > > timeouts that is), and 10% of 500.000 requests were rejected because of the > > timeout, which is unacceptable. > > > > What I need is something in between the two solutions; REJECT if the authorization > > takes longer then X seconds, ACCEPT if the password authentication takes longer > > then Y seconds, or send an ACCEPT or REJECT according to succesful authorization > > and authentication responses, where X+Y<6. > > > > Is there any valid way, besides patching the ldap module to make the return value > > at timeouts configurable, that would solve this problem? Maybe someone has another > > solution? > > > > Thanks in advance, > > > > Pieter Droogendijk > > > > -- > > There is an old time toast which is golden for its beauty. > > "When you ascend the hill of prosperity may you not meet a friend." > > -- Mark Twain > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- You are the only person to ever get this message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
