RE: Best Config
If you have these figures, yours database has to be GOOD DB server and a GOOD machine. To: freeradius-users@lists.freeradius.org Subject: Re: Best Config Date: Sat, 24 Jan 2009 11:08:53 +0100 From: t...@kalik.net From experience, what would be the best server configuration for 200,000 users with 75,000 concurrent users throttling 50,000 connections per second (with 1 NAS Client) in terms of: Your network usage numbers look very wrong. 200,000 users are highly unlikely to use 75,000 concurrent connections and 75,000 connections are most unlikely to produce 50,000 requests per second - that would mean average session time of less than 5 seconds!!! 200,000 users with peak contention ratio of 10:1 and average session time of 10 minutes will produce about 100 requests per second at peak times. A single database might struggle with this peak rate. You should consider using something like buffered-sql virtual server: that will keep authentication working at max pace, while accounting might lag a few seconds at peak times but it will catch up when demand drops. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Descubre cómo compartir tus fotos con Windows Live. ¡Pruébalo ya! http://home.live.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Best Config
From experience, what would be the best server configuration for 200,000 users with 75,000 concurrent users throttling 50,000 connections per second (with 1 NAS Client) in terms of: Your network usage numbers look very wrong. 200,000 users are highly unlikely to use 75,000 concurrent connections and 75,000 connections are most unlikely to produce 50,000 requests per second - that would mean average session time of less than 5 seconds!!! 200,000 users with peak contention ratio of 10:1 and average session time of 10 minutes will produce about 100 requests per second at peak times. A single database might struggle with this peak rate. You should consider using something like buffered-sql virtual server: that will keep authentication working at max pace, while accounting might lag a few seconds at peak times but it will catch up when demand drops. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Best Config
I am at the moment experiencing problem of load with mysql as acct DB (query failure during database backup of massive radius ticket injection) for a setup of 15000 concurrent users so I would recommend its use! Le 23.01.2009 17:54, tech.subscripti...@shepherdhill.biz a écrit : Hi, From experience, what would be the best server configuration for 200,000 users with 75,000 concurrent users throttling 50,000 connections per second (with 1 NAS Client) in terms of: 1. Hardware configuration 2. Chooise of DB (PostgreSQL or MySQL) 3. FreeRadius Configuration (max_request_time, cleanup_delay, max_requests, max_servers, min_spare_servers, max_spare_servers, etc) Regards, Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Best config practices?
sphaero wrote: I was thinking to start adding a few custom files to include in the default config. $raddb/custom_mods.conf : the custom ldap and sql module definitions $raddb/custom_auth.conf : custom authentication entries $raddb/custom_autz.conf : custom authorization entries In 2.0.5, the raddb/modules directory can hold modules. The raddb/sites-enabled/ directory holds custom virtual servers. I'm using realms to link the different authorization modules. I'm not sure what that means.. If I'm correct I need to add every realm to the proxy.conf file and set it to LOCAL. Is this really needed? You need to add realms to proxy.conf. See the default proxy.conf, realm LOCAL for an example of configuring a local realm. Finally I need to add the realms to users file DEFAULT Realm == test.com, Autz-Type := test.com That will work. But in 2.0.5, I would suggest *not* using Autz-Type. The new virtual server functionality is much more powerful. Still... if this works for you, there's no harm in using it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Best config practices?
Stefan Winter-4 wrote: Well, if you have LOCAL for *every* realm, my suggestion would be not not call any realm module at all. Then the proxy.conf file is ignored and you can leave it untouched. Then, obviously using Realm == test.com in the users file should be replaced. You can do it by DEFAULT User-Name =~ [EMAIL PROTECTED], Autz-Type := test.com HTH, Stefan Winter That's handy suggestion. But what if want to proxy certain realms to other radius servers. I would still need to use the proxy.conf file. I might set realm DEFAULT in proxy.conf and DEFAULT Realm == DEFAULT, User-Name =~ [EMAIL PROTECTED], Autz-Type := test.com and I'm back in business :) Thanks, Arnaud -- View this message in context: http://www.nabble.com/Best-config-practices--tp18922693p18923309.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Best config practices?
Ok,
To finalise for the archive:
In the freeradius config directory I create the following 3 files:
custom-mods.conf, custom-autz.conf, custom-auth.conf
custommods.conf:
ldap bla1 {
server = 10.48.65.1
port = 636
basedn = o=bla1
filter = (cn=%{Stripped-User-Name:-%{User-Name}})
access_attr = cn
tls_require_cert = never
set_auth_type = yes
}
ldap bla2 {
server = 10.60.65.1
port = 636
basedn = o=bla2
filter = (cn=%{Stripped-User-Name:-%{User-Name}})
access_attr = cn
tls_require_cert = never
set_auth_type = yes
}
sql bla3 {
driver = rlm_sql_unixodbc
# Connect info
server = mssql
login = login_User
password = passs
radius_db = database
acct_table1 = radacct
acct_table2 = radacct
authcheck_table = table_user
authreply_table = table_user
groupcheck_table = radgroupcheck
groupreply_table = radgroupreply
usergroup_table = usergroup
deletestalesessions = yes
# Print all SQL statements when in debug mode (-x)
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
# number of sql connections to make to server
num_sql_socks = 5
sql_user_name = %{Stripped-User-Name:-%{User-Name:-none}}
# Custom query die attributen klaar zet!
authorize_check_query = SELECT UserID,Username,'SHA-Password' AS
Attribute, Password, ':=' AS Op FROM ${authcheck_table} WHERE Username =
'%{SQL-User-Name}' ORDER BY UserID
authorize_reply_query = SELECT UserID,Username from {authreply_table}
WHERE Username = '%{SQL-User-Name}' ORDER BY UserID
}
custom-autz.conf:
Autz-Type bla1 {
bla1
}
Autz-Type bla2 {
bla2
}
Autz-Type bla3 {
bla3
}
custom-auth.conf:
Auth-Type bla1 {
bla1
}
Auth-Type bla2 {
bla2
}
add in proxy.conf :
realm DEFAULT {
type= radius
authhost= LOCAL
accthost= LOCAL
}
and finally in users:
DEFAULT Realm == DEFAULT, User-Name =~ [EMAIL PROTECTED], Autz-Type := bla1
DEFAULT Realm == DEFAULT, User-Name =~ [EMAIL PROTECTED], Autz-Type := bla2
DEFAULT Realm == DEFAULT, User-Name =~ [EMAIL PROTECTED], Autz-Type := bla3
that's it. This is for the 1.1 series. 2.0 could be done differently.
Correct?
Rg,
Arnaud
--
View this message in context:
http://www.nabble.com/Best-config-practices--tp18922693p18924526.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
