Antonio Alberola wrote: > I have a mail server where users are validated with local accounts (UNIX) or > against a Windows AD. For this reason we use Radius. Sometimes the Radius > server fails and stops authentication for everybody. In that point the logs > that I sent to you appear. I need to restart Radius in order to it works > again.
The RADIUS *server*, or the entire machine? You've been vague as to what you mean. Please be precise. It's the only way we can help you. > When we monitored the network and one of the Windows AD we could confirm > that requests from Radius don't reach the AD, because they don't leave > Radius. Again, the RADIUS *server* doesn't contact AD. It's another component on the same machine. Maybe Kerberos, maybe Samba. Have you tried to find out *which* component is causing the problem? > We believe that connectivity between Radius and AD is correct, they > are on the same LAN and the AD continues to validate correctly even when > Radius is failing. That doesn't mean much. It's nice, but the problem could be somewhere else. i.e. I've seen people put firewalls between the RADIUS server and a database. The firewall then drops the database connections RADIUS started. So RADIUS gets blocked. But you can still ping the DB from the RADIUS machine. And new connections work fine. > From my point of view, for any reason, Radius receives requests that it can > not manage, because of the AD, the network or whatever. These requests keep > waiting and the buffer fills completly. I don't know why these requests are > not removed from the queue and the buffer is cleared in order to allow new > request. Because FreeRADIUS doesn't implement *EVERYTHING* itself. It relies on libraries / other programs for AD connectivity. If those libraries block, the underlying APIs often don't *allow* FreeRADIUS to detect that and recover. You need to stop blaming FreeRADIUS. It's preventing you from finding out what the real problem is. Again, it's like you're trying to drive a car with no petrol in it. You're stuck looking at the gauge in front of you. You're thinking you may need to replace it. All the time we're trying to tell you PUT MORE PETROL IN THE TANK. Start paying attention to the responses on this list. It's the only way you'll get the problem solved. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
