Hello Yan,
Le 2018-02-01 ?? 11:33, Yan a ??crit?0?2:
Hi Fabrice,
We do have plan to buy support service, since we deeply rely on
fingerbank to recognize our device in the future. But currently our
boss is very angry to us for recent network issues...It's a bad time
to ask for money on this project unless we solve our current
problem...So would you pls help us survive this time, or we'll change
all the pf servers with something like cisco ISE and that's what we
don't want to...
For your last response, firstly the server we used to deploy pf has
very good system performance(32 cpu and 128G mem).
Secondly we do find rlm_perl takes too much time processing when pf
receive a request.
Thread 4 (Thread 0x7fd95d7fa700 (LWP 6150)):
#0?0?2 0x00007fdf2851942d in __lll_lock_wait () from /lib64/libpthread.so.0
#1?0?2 0x00007fdf28514dcb in _L_lock_812 () from /lib64/libpthread.so.0
#2?0?2 0x00007fdf28514c98 in pthread_mutex_lock () from
/lib64/libpthread.so.0
#3?0?2 0x00007fdf1e18fbc1 in do_perl () from
/usr/lib64/freeradius/rlm_perl.so
#4?0?2 0x0000000000426d9e in modcall_recurse ()
Ok so if you want to disable perl in freeradius, patch with this:
diff --git a/conf/radiusd/packetfence-tunnel.example
b/conf/radiusd/packetfence-tunnel.example
index 3fd5bb3..0d4acc0 100644
--- a/conf/radiusd/packetfence-tunnel.example
+++ b/conf/radiusd/packetfence-tunnel.example
@@ -68,7 +68,10 @@ authorize {
?0?2?0?2?0?2?0?2?0?2?0?2?0?2 suffix
?0?2?0?2?0?2?0?2?0?2?0?2?0?2 ntdomain
-?0?2?0?2?0?2?0?2?0?2?0?2 %%multi_domain%%
+?0?2?0?2?0?2?0?2?0?2?0?2?0?2 update request {
+?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2 &PacketFence-Domain := cpa
+?0?2?0?2?0?2?0?2?0?2?0?2?0?2 }
+?0?2?0?2?0?2?0?2?0?2?0?2 # %%multi_domain%%
?0?2?0?2?0?2?0?2?0?2?0?2?0?2 %%redis_ntlm_cache_fetch%%
@@ -183,7 +186,7 @@ authenticate {
?0?2?0?2?0?2?0?2?0?2?0?2?0?2 #
?0?2?0?2?0?2?0?2?0?2?0?2?0?2 #?0?2 MSCHAP authentication
?0?2?0?2?0?2?0?2?0?2?0?2?0?2 Auth-Type MS-CHAP {
-?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2
packetfence?0?2?0?2?0?2?0?2 # increment the StatsD counter
+?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2
#packetfence?0?2?0?2?0?2?0?2 # increment the StatsD counter
?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2 # If there is already an NT-Password populated in the
control, we'll try it
?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2 # In the event it fails, it will fallback to an
ntlm_auth call below
?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2?0?2 if(&control:NT-Password &&
&control:NT-Password != "") {
and rename packetfence-tunnel.example to packetfence-tunnel
We have checked the radius audit log in pf database and the
request_time column are all filling with 0, no other number found.
Then about the radius authentication latency, we tried to tcpdump on
our AD server on port 389 but it captured nothing... Isn't the NTLM
call sent to AD_IP:389 ? If not, how can we trace the authentication
latency ?
What about the "RADIUS Average Access-Request Latency" , "NTLM call
timing" and "NTLM authentication failures" ?
Also the ntlm_auth use winbind, so it's samba traffic and not ldap (389).
Last thing, if you want to have better performances try the ntlm_cache.
Regards
Fabrice
Last about the graphite, it responses very slowly and we can't find
any issue cause from it...
And finally I attached our config files under ./pf/conf/ directory. I
masked some sensitive messages in it. Really hope you can review a bit
and provide some precious suggestions on how to optimize it to handle
at least 50 qps requests...Then we have chance?0?2seeking more support
from our boss...
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
