Re: [RADIATOR] Slow Auth process

Thu, 28 Apr 2022 06:15:22 -0700 

On 27.4.2022 14.10, [email protected] wrote:


Trying to implement a MFA with offband token validation.
The validation phase, between receiving a SMS, opening the web page and clicking the validation link, can take from a couple of seconds to 30s where the radius auth process is waiting to either ACCEPT or REJECT.
So, the solutions to allow for other authentications to happen at the same time are:
1. we set a FarmSize other than 0, but we break the use of Context and so multiple auth methods stop working, or 2. we Fork the authentication process where the validation happens (AuthBy SMSToken)
You're correct, the above cause a problem because of multi-round authentication that needs state information on the server. 

https://blog.radiatorsoftware.com/2019/06/grouping-and-controlling-multiple.html


<Handler ...>
     AuthByPolicy ContinueUntilReject
     <AuthBy GROUP>
         AuthByPolicy ContinueUntilAccept
         AuthBy NTLM_DOM_A
         AuthBy NTLM_DOM_B
         AuthBy NTLM_DOM_C
     </AuthBy>
     AuthBy SMSToken
     AuthBy DynPool_this
</Handler>


You could consider this option:
- create a new configuration with just the current AuthBy SMSToken
- use BindAddress to limit the configuration to use 127.0.0.1, the loopback interface. 
- start 2, 3 or more instaces, all with separate AuthPort
- Update the above configuration so that it uses <AuthBy HASHBALANCE> to proxy to the new loopback bound instances - remember to add Asynchronous flag for hash balance config. See example in Radiator 4.26 goodies/proxyalgorithm.cfg
In other words: create separate workers that do just AuthBy SMSToken. Use hash balance, based on User-Name, Calling-Station-Id or other attribute, to determinstically proxy to the loopback bound instance that holds the state for the authentication. 

For an easy way to start multiple instances of Radiator, see here:
https://blog.radiatorsoftware.com/2019/06/grouping-and-controlling-multiple.html

Please let us know how it goes.

Thanks,
Heikki

--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator

Reply via email to