Dear Heikki This is great, your suggestions solved the problem!
> When AllowAuthorizeOnly is set, Radiator triggers an Access-Request that > has 'Service-Type = Authorize-Only' but no User-Password attribute. In > your case you could catch these requests with a specific Handler and > then run the 'authorizeSQL' AuthBy only within this new Handler. > > When you know you can handle 'Service-Type = Authorize-Only' TACACS+ > derived access requests, you can enable FarmSize on the frontend. With the first step Authorization-Only in the backend and a FarmSize of 8 in the frontend the TCP errors dropped from approx. 1000 to 100 per second. With a doubling of the FarmSize to 16 they decreased again but stayed on a level of approx. 50/s. We observed that the CPU load was still on 100% on all cores for 2-3 seconds. Thus we also doubled the count of virtual CPUs from 8 to 16 and with this step the errors are finally gone. The "tacacs server unreachable" logs on the clients (switches & routers) have also disappeared completely. This is the config we added: FRONTEND (before <Client ...> section: FarmSize 16 DupCache shared DupCacheFile /var/run/radius/rad_auth-tacacs-frontend-%0 BACKEND (before default <Handler> section: <Handler Service-Type=Authorize-Only> Identifier TacacsAuthorizeOnly AuthByPolicy ContinueWhileAccept AuthBy SQLauthorizeTAC AuthBy InternalReply RejectHasReason AuthLog authlog-tacacs </Handler> Thank you and best regards, Tobias ------------------------------------------------------- ETH Zürich Tobias Schnurrenberger ID INFRA Network Applications Binzmühlestrasse 130 8092 Zürich [email protected] -------------------------------------------------------
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
