The default behaviour for <AuthBy
RADIUS>
is to return IGNORE as soon as the request has been
forwarded to the remote RADIUS server. It will not wait for a reply before
moving on to other AuthBy classes, or handling new requests. You can
change this behaviour with the Synchronous
flag, but
make sure you understand what you are doing before enabling the
Synchronous
flag.
If you enable the
Synchronous
flag, Radiator will wait for either a
reply, or a timeout from the remote radius server before processing any
following AuthBy clauses, or before handling any further requests. This
means that handling requests will stop until a reply is received or the
reply times out (which might take 15 seconds or more, depending on the
settings of your
RetryTimeout
and retries
parameters). This can seriously affect the performance of your RADIUS
server, especially if the remote radius server is slow, stopped, or at the
end of a slow or unreliable link. You should therefore be very cautious
about setting this flag, and you should understand the consequences of
remote server failure. The performance impact of the
Synchronous
flag can be alleviated by use of the
Fork
parameter (see
Section 3.32.42. Fork) at the cost of significant
increase in memory requirements.
Nevertheless,
Synchronous
can be very handy if you wish, for
example, to forward a request to remote server only if another server
REJECTS the request. See the example below for sample
configuration.
# Auth to server2 only if server 1 rejects. Caution:
# accounting will normally go to server1, unless it rejects
<Realm xxxxxx>
AuthByPolicy ContinueWhileReject
<AuthBy RADIUS>
# Wait here until we get a reply or a timeout
Synchronous
Host server1
Secret xxxxxx
</AuthBy>
<AuthBy RADIUS>
Host server2
Secret yyy
</AuthBy>
</Realm>