Stop pretending it's personal. It's not.
Yes.
Why not just implement a robust and scalable solution?
You're pretending it's personal again. Facts are not "rants", no
matter how often you claim they are.
Stop being a troll. If you've spent any time reading the lists, you
know your comments are wrong.
I post hundreds of messages helping people, and making FreeRADIUS
better. You say nothing. I post one message pointing out your troll,
and you get annoyed that I should "focus more to your own project".

I think you're over-reacting. A lot.

Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog

a) run a radius server for authentication
b) run a different radius server for accounting
c) "nice +15" the accounting server.

Why write code when you can use standard Unix utilities? This won't
do *exactly* what you want, but it will come close.
In a word: No.

It's possible, but it's wrong.

A better approach is to use rlm_sql_log, which is a fast & cheap way
to log the SQL inserts. A perl script can then run the inserts when the
system isn't busy.

Your approach involves the possibility of losing data, and still
writes to a "special file". Why not just write to a "special file" all
of the time?
Decouple the backend from the front end. This is a standard way to
make systems more robust, scalable, and easy to maintain.

Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog

I suspect that this give similars result as the reply caching in FreeRADIUS
("cleanup_delay" etc). What happens to "older" requests that are still in
the queue? Do you expire them after some time? Reply to them eventiually or
keep track of duplicates?
ok. Basically the way you handle this with FreeRADIUS is:

* you use the sql (or ldap) module to directly service Authentication
requests. All Authentication requests are handled as fast as the backend can
respond.

* you pass all accounting requests to either the sqllog module OR a specially
configured detail module. (I prefer the detail method, and I am going
describe that, but the concept and result is effectively the same.)

* The detail module writes the accounting request to an on disk spool (on a
big system this should be a dedicated disk so that speed is not effected by
other system utilization) and sends accounting response.

* A second copy of FreeRADIUS configured in "radrelay" mode lazily reads this
spool from disk and processes it into your accounting database. (As I
mentioned in a previous email, your accounting database may be a Master
while your Auth database is a read only slave if you wish to split up the
load between multiple machines)

This is superior to your method in that it is not possible to lose an
accounting record after having already sent an accounting response. If your
radius server crashes/disappears your NASes will think that the accounting
packet has been logged and forget about it, mine will resend it to my
secondary RADIUS server and the packet will not be lost.

While there IS a difference in speed between writing to an on-disk spool and
your method (in memory queue) our method is "correct" and a dedicated disk
(or raid set) is more than fast enough to keep up with thousands of requests
per second. (I haven't benchmarked it recently but I suspect we are in 100K
requests per second territory here depending on disk spindle speed,
filesystem and cache configuration)

This could be possibly improved by adding an in memory authentication queue
to make sure that radiusd never tries to send more than the maximum number
of sql sockets to the database backend at one time, however this only buys
you a small advantage (given that we are already queuing acct) in that if
the request is delayed for more than 1 second (this is typically
configurable on the NAS of course) the NAS will resend the Auth request to
the secondary RADIUS. This results in duplicated load on the backend
(assuming its shared, although it could be a second slave database) which
makes the problem even worse.
Basically a queue of more than a second (or the timeout configured on your
NAS) is worse than sending an Authentication reject to a couple of users as
the whole thing just snowballs! An Auth queue only helps in the case where
you have a huge peak of requests that cannot be serviced simultaneously but
CAN be serviced quicker than the configurable timeout of your NAS. If you
continually have a deep queue then you need to increase the speed of your
backend.
Yes. There are _some_ tricks you can play to try and deal with restart
conditions (When one or more NAS reset a group of interfaces due to an error
condition or reboot completely) more effectively. In the end however if your
Authentication backend cannot clear the load backlog within a second or so
you are lost anyway. Accounting of course can be handled lazily, as I
explain above.

I would be interested to see you run a benchmark to show that your algorithm
for dealing with newest Auth request first is actually a performance gain in
a high load environment. (I suspect that it will make very little difference
compared with out caching system) If it does make a considerable difference,
then of course we would consider adding a similar feature to FreeRADIUS.
(ie. Please prove to us that what you have done is actually better!)

Regarding your accounting optimization, it would be trivial for us to do the
same thing but it would be wrong as it introduces the possibility of lost
packets. (While there ARE companies out there that can enough accounting
packets to saturate a single disk, they can afford to purchase a raid set,
and they DO care about doing everything possible to not losing data!)

Cheers

That's a pretty bad method. Under a dos attack, where dos traffic
is substantially greater than good traffic, real auths will tend
to get dropped in favor of processing attack auths. It's better
to process them in order, short-circuiting the hard work by testing the
age of the request before going on to do any work, including sending
a response at all. You could even set up a new queue every second
and simply drop all requests older than 3s without even looking at
the timestamps on them. (Although you'd probably want to use 12s
as the cutoff, to allow for retransmission. That way the age of
the packet is established from the first transmission.)

FreeRADIUS essentially does this.

-frank