Re: NAS from db - add without restart

Thu, 20 Jan 2005 06:35:37 -0800 

On Thu, 20 Jan 2005, Mark Elkins wrote:

On Wed, 2005-01-19 at 23:05 +0200, Kostas Kalevras wrote: 
On Wed, 19 Jan 2005, Alan DeKok wrote:

"Neil Craig" <[EMAIL PROTECTED]> wrote: 
Is it possible to add a NAS to SQL and have Freeradius recognise and
use it without restarting radius? The only way I can get this to work is
by adding in the entry and restarting, otherwise it thinks it's an
invalid NAS


 You can HUP the server.

 Or, if you're willing to edit the source, have it periodically
re-read the NAS list form SQL.

Reading the NAS data from SQL for every request is a bad idea. 

There's also snmp, don't forget that. It's the same as a HUP signal but at 
least
it can be done remotely and without giving out shell access to the radius
server.


Whats to stop one from reading the NAS Table - giving it a key (NAS
Name) and doing an SQL lookup - in the same way as one does with user
info?... ie potentially on every request. (Not the full table - just the
required row entry).
Make it more complicated - cache the NAS result (internal linked list)
and only do an SQL lookup when its not in the cache. Arrange so that a
HUP clears the NAS cache.

We 've got mechanisms to deal with DoS attacks *after* we 've verified the client ip. There's no real mechanism to deal with DoS attacks before verifying the client ip. RADIUS uses UDP which means that IP addresses can be forged. Also RADIUS packets don't need to be very large, which means that you can probably send more to the radius server than your db can handle.
If i start sending forged packets to the radius server there's not much you can do to avoid the extra db load.

In any case, client updates are really rare actions. I think a HUP (in one form or another) can be enough, especially taking into account the extra work required to get any other way working right.


Go back a step - load the full NAS table into memory, if an internal
lookup does not work - then do an (indexed) search just for that NAS -
and add the result to the table thats in memory.
--
 .  .     ___. .__      Posix Systems - Sth Africa.  e.164 VOIP ready
/| /|       / /__       [EMAIL PROTECTED]  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Kostas Kalevras         Network Operations Center
[EMAIL PROTECTED]       National Technical University of Athens, Greece
Work Phone:             +30 210 7721861
'Go back to the shadow' Gandalf

- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to