summaryrefslogtreecommitdiffstats
path: root/doc/deployment
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--doc/deployment/CYGWIN.rst283
-rw-r--r--doc/deployment/MACOSX12
-rw-r--r--doc/deployment/OS222
-rw-r--r--doc/deployment/performance-testing168
-rw-r--r--doc/deployment/supervise-radiusd.rst163
-rw-r--r--doc/deployment/tuning_guide58
6 files changed, 706 insertions, 0 deletions
diff --git a/doc/deployment/CYGWIN.rst b/doc/deployment/CYGWIN.rst
new file mode 100644
index 0000000..da61d49
--- /dev/null
+++ b/doc/deployment/CYGWIN.rst
@@ -0,0 +1,283 @@
+FreeRADIUS for EAP under CygWin
+===============================
+
+From: "Philip Blow" <philipb@simplywireless.com.au>
+To: <freeradius-users@lists.cistron.nl>
+Date: Wed, 29 Jan 2003 15:23:45 +1100
+
+Here are some brief notes I but together for compiling FreeRADIUS 0.8.1
+on Windows XP with EAP/TLS support.
+
+Configuring FreeRADIUS for EAP under CygWin.
+--------------------------------------------
+
+#. Installing CygWin
+
+ Install the latest version of CygWin (at time of writing 1.3.19-1) from http://www.cygwin.com
+
+#. Install the following packages (make as minimum list)
+
+ +--------------------+-----------------+
+ | Package | Version |
+ +====================+=================+
+ | _update-info-dir | 00126-1 |
+ +--------------------+-----------------+
+ | ash | 20020731-1 |
+ +--------------------+-----------------+
+ | autoconf | 2.54-1 |
+ +--------------------+-----------------+
+ | autoconf-devel | 2.57-1 |
+ +--------------------+-----------------+
+ | autoconf-stable | 2.13-4 |
+ +--------------------+-----------------+
+ | automake | 1.7.1-1 |
+ +--------------------+-----------------+
+ | automake-devel | 1.7.2-1 |
+ +--------------------+-----------------+
+ | automake-stable | 1.4p5-5 |
+ +--------------------+-----------------+
+ | base-files | 1.1-1 |
+ +--------------------+-----------------+
+ | base-passwd | 1.0-1 |
+ +--------------------+-----------------+
+ | bash | 2.05b-8 |
+ +--------------------+-----------------+
+ | bc | 1.06-1 |
+ +--------------------+-----------------+
+ | binutils | 20021117-1 |
+ +--------------------+-----------------+
+ | byacc | 1.9-1 |
+ +--------------------+-----------------+
+ | bzip2 | 1.0.2-2 |
+ +--------------------+-----------------+
+ | crypt | 1.0-1 |
+ +--------------------+-----------------+
+ | cygrunsrv | 0.95-1 |
+ +--------------------+-----------------+
+ | cygutils | 1.1.3-1 |
+ +--------------------+-----------------+
+ | cygwin | 1.3.19-1 |
+ +--------------------+-----------------+
+ | cygwin-doc | 1.3-2 |
+ +--------------------+-----------------+
+ | diff | 1.0-1 |
+ +--------------------+-----------------+
+ | diffutils | 2.8.1-1 |
+ +--------------------+-----------------+
+ | ed | 0.2-1 |
+ +--------------------+-----------------+
+ | file | 3.37-1 |
+ +--------------------+-----------------+
+ | fileutils | 4.1-1 |
+ +--------------------+-----------------+
+ | findutils | 4.1.7-4 |
+ +--------------------+-----------------+
+ | gawk | 3.1.1-5 |
+ +--------------------+-----------------+
+ | gcc | 3.2-3 |
+ +--------------------+-----------------+
+ | gcc-mingw | 20020817-5 |
+ +--------------------+-----------------+
+ | gcc2 | 2.95.3-10 |
+ +--------------------+-----------------+
+ | gdb | 20021218-1 |
+ +--------------------+-----------------+
+ | gdbm | 1.8.0-4 |
+ +--------------------+-----------------+
+ | gettext | 0.11.5-1 |
+ +--------------------+-----------------+
+ | grep | 2.5-1 |
+ +--------------------+-----------------+
+ | groff | 1.18.1-2 |
+ +--------------------+-----------------+
+ | gzip | 1.3.3-4 |
+ +--------------------+-----------------+
+ | inetutils | 1.3.2-20 |
+ +--------------------+-----------------+
+ | initscripts | 0.9-1 |
+ +--------------------+-----------------+
+ | less | 378-1 |
+ +--------------------+-----------------+
+ | libbz2_0 | 1.0.2-1 |
+ +--------------------+-----------------+
+ | libbz2_1 | 1.0.2-2 |
+ +--------------------+-----------------+
+ | libiconv2 | 1.8-2 |
+ +--------------------+-----------------+
+ | libintl | 0.10.38-3 |
+ +--------------------+-----------------+
+ | libintl1 | 0.10.40-1 |
+ +--------------------+-----------------+
+ | libintl2 | 0.11.5-1 |
+ +--------------------+-----------------+
+ | libltdl3 | 20030103-1 |
+ +--------------------+-----------------+
+ | libncurses5 | 5.2-1 |
+ +--------------------+-----------------+
+ | libncurses6 | 5.2-8 |
+ +--------------------+-----------------+
+ | libpng10 | 1.0.14-2 |
+ +--------------------+-----------------+
+ | libpng12 | 1.2.4-2 |
+ +--------------------+-----------------+
+ | libpopt0 | 1.6.4-4 |
+ +--------------------+-----------------+
+ | libreadline4 | 4.1-2 |
+ +--------------------+-----------------+
+ | libreadline5 | 4.3-2 |
+ +--------------------+-----------------+
+ | libtool | 20020202a-1 |
+ +--------------------+-----------------+
+ | libtool-devel | 20021227-1 |
+ +--------------------+-----------------+
+ | libtool-stable | 1.4.2-2 |
+ +--------------------+-----------------+
+ | libxml2 | 2.4.23-1 |
+ +--------------------+-----------------+
+ | login | 1.7-1 |
+ +--------------------+-----------------+
+ | m4 | 1.4-1 |
+ +--------------------+-----------------+
+ | make | 3.79.1-7 |
+ +--------------------+-----------------+
+ | man | 1.5j-1 |
+ +--------------------+-----------------+
+ | mingw-runtime | 2.3-1 |
+ +--------------------+-----------------+
+ | mktemp | 1.4-1 |
+ +--------------------+-----------------+
+ | more | 2.11o-1 |
+ +--------------------+-----------------+
+ | nasm | 0.98.35-1 |
+ +--------------------+-----------------+
+ | ncurses | 5.2-8 |
+ +--------------------+-----------------+
+ | newlib-man | 20020801 |
+ +--------------------+-----------------+
+ | openssh | 3.5p1-3 |
+ +--------------------+-----------------+
+ | openssl | 0.9.7-1 |
+ +--------------------+-----------------+
+ | openssl-devel | 0.9.7-1 |
+ +--------------------+-----------------+
+ | openssl096 | 0.9.6h-1 |
+ +--------------------+-----------------+
+ | patch | 2.5.8-2 |
+ +--------------------+-----------------+
+ | pcre | 3.7-1 |
+ +--------------------+-----------------+
+ | perl | 5.6.1-2 |
+ +--------------------+-----------------+
+ | readline | 4.3-2 |
+ +--------------------+-----------------+
+ | sed | 4.0.5-1 |
+ +--------------------+-----------------+
+ | sh-utils | 2.0.15-3 |
+ +--------------------+-----------------+
+ | sharutils | 4.2.1-2 |
+ +--------------------+-----------------+
+ | sysvinit | 2.84-3 |
+ +--------------------+-----------------+
+ | tar | 1.13.25-1 |
+ +--------------------+-----------------+
+ | tcltk | 20021218-1 |
+ +--------------------+-----------------+
+ | termcap | 20020930-1 |
+ +--------------------+-----------------+
+ | terminfo | 5.2-3 |
+ +--------------------+-----------------+
+ | texinfo | 4.2-4 |
+ +--------------------+-----------------+
+ | textutils | 2.0.21-1 |
+ +--------------------+-----------------+
+ | tiff | 3.5.7-1 |
+ +--------------------+-----------------+
+ | time | 1.7-1 |
+ +--------------------+-----------------+
+ | unzip | 5.50-1 |
+ +--------------------+-----------------+
+ | vim | 6.1-2 |
+ +--------------------+-----------------+
+ | w32api | 2.1-1 |
+ +--------------------+-----------------+
+ | wget | 1.8.2-2 |
+ +--------------------+-----------------+
+ | which | 1.5-1 |
+ +--------------------+-----------------+
+ | xinetd | 2.3.9-1 |
+ +--------------------+-----------------+
+ | zip | 2.3-2 |
+ +--------------------+-----------------+
+ | zlib | 1.1.4-1 |
+ +--------------------+-----------------+
+
+#. Download
+
+ Download the FreeRADIUS source code from http://www.freeradius.org/
+
+#. Expand the FreeRADIUS source file.
+
+#. Make the following changes to the source code
+ (the diffs are reversed)
+
+ ::
+
+ src/main/Makefile.in
+
+ 145,148c145,148
+ < $(LIBTOOL) --mode=install $(INSTALL) -m 755 $(INSTALLSTRIP)
+ radiusd.exe $(R)$(sbindir)
+ < $(INSTALL) -m 755 $(INSTALLSTRIP) radwho.exe
+ $(R)$(bindir)
+ < $(INSTALL) -m 755 $(INSTALLSTRIP) raduse.exe
+ $(R)$(bindir)
+ < $(INSTALL) -m 755 $(INSTALLSTRIP) radzap.exe
+ $(R)$(bindir)
+ ---
+ > $(LIBTOOL) --mode=install $(INSTALL) -m 755 $(INSTALLSTRIP)
+ radiusd $(R)$(sbindir)
+ > $(INSTALL) -m 755 $(INSTALLSTRIP) radwho
+ $(R)$(bindir)
+ > $(INSTALL) -m 755 $(INSTALLSTRIP) raduse
+ $(R)$(bindir)
+ > $(INSTALL) -m 755 $(INSTALLSTRIP) radzap
+ $(R)$(bindir)
+ 150,151c150,151
+ < $(INSTALL) -m 755 radclient.exe $(R)$(bindir)
+ < $(INSTALL) -m 755 radrelay.exe $(R)$(bindir)
+ ---
+ > $(INSTALL) -m 755 radclient $(R)$(bindir)
+ > $(INSTALL) -m 755 radrelay $(R)$(bindir)
+
+ src/modules/rlm_dbm/Makefile.in
+
+ 22,23c22,23
+ < $(INSTALL) -m 755 $(INSTALLSTRIP) rlm_dbm_parser.exe
+ $(R)$(bindir)
+ < $(INSTALL) -m 755 $(INSTALLSTRIP) rlm_dbm_cat.exe
+ $(R)$(bindir)
+ ---
+ > $(INSTALL) -m 755 $(INSTALLSTRIP) rlm_dbm_parser $(R)$(bindir)
+ > $(INSTALL) -m 755 $(INSTALLSTRIP) rlm_dbm_cat $(R)$(bindir)
+
+ src/modules/rlm_mschap/Makefile
+
+ 20c20
+ < $(INSTALL) -m 755 $(INSTALLSTRIP) smbencrypt.exe $(R)$(bindir)
+ ---
+ > $(INSTALL) -m 755 $(INSTALLSTRIP) smbencrypt $(R)$(bindir)
+
+#. Run configure with the following command line
+
+ ::
+
+ ./configure -without-snmp -disable-shared -enable-static
+
+#. Execute make and then make install
+
+::
+
+ Philip Blow
+ Senior Technical Manager
+ Simply Wireless
+ philipb@simplywireless.com.au
diff --git a/doc/deployment/MACOSX b/doc/deployment/MACOSX
new file mode 100644
index 0000000..39ebaec
--- /dev/null
+++ b/doc/deployment/MACOSX
@@ -0,0 +1,12 @@
+ Installing FreeRADIUS on MAC OSX
+ --------------------------------
+
+1) download, unzip and untar freeradius.tar.gz
+
+2) $ ./configure
+
+3) $ make
+
+4) $ make install
+
+It's what the developers use, so we make sure it works.
diff --git a/doc/deployment/OS2 b/doc/deployment/OS2
new file mode 100644
index 0000000..fc676c9
--- /dev/null
+++ b/doc/deployment/OS2
@@ -0,0 +1,22 @@
+Compiling FreeRADIUS under OS/2
+
+To compile FreeRADIUS unde OS/2 you must have a full EMX environment with GNU
+utilities (like make,sh)
+
+The EMX can be get from http://hobbes.nmsu.edu
+
+To work with CVS repository you must install cvs110.zip from hobbes also
+
+before entering in sh.exe you must do
+SET SHELL=sh.exe
+
+before running ./configure you must set the shell the variables :
+export CC=gcc
+export MAKE=fullpathofyourmake.exe
+export PERL=fullpathofyourperl.exe
+
+
+The OS/2 version of FreeRADIUS can't directly execute checkrad.pl then the
+program will execute a checkrad.cmd
+
+
diff --git a/doc/deployment/performance-testing b/doc/deployment/performance-testing
new file mode 100644
index 0000000..71945c1
--- /dev/null
+++ b/doc/deployment/performance-testing
@@ -0,0 +1,168 @@
+
+Radius Test Procedures
+
+0. INTRODUCTION
+
+This document describes how to test your radius server authentication
+using random usernames and passwords with the 'radclient' program.
+
+1. WHY TEST
+
+Many people want to see the difference in efficiency behind the various
+authentication methods, compilation methods, etc of their radius server.
+Before now, this was difficult to do efficiently across a large number
+of users. However, with this document, you'll be able to test your
+radius server and determine the best options to use for your system.
+
+2. GETTING STARTED
+
+First thing we have to do is generate a large number of users. You'll
+want to do this even if you have a large passwd file you want to use
+from your system, because the create user script sets up other files
+you need for testing. So head to the scripts/ directory, and do this:
+
+Make a tmp dir
+# mkdir tmp
+# cp create-users.pl tmp
+# cd tmp
+
+Run the script to create 10,000 (or however many you want) random users
+and passwords
+# ./create-users.pl 10000
+
+Output from the script will include several files:
+ passwd : A standard passwd file you can append to /etc/passwd
+ shadow : A standard shadow file you can append to /etc/shadow
+passwd.nocrypt : A file with *unencrypted* users & passes in form "user:pass"
+ radius.test : File you'll use as input for radclient
+ radius.users : A standard radius 'users' file
+
+So, equipped with lots of users and passwords, there's several methods of
+authentication you can test:
+
+ o System users (Auth-Type:=System)
+ o Local users (Auth-Type:=Local)
+ o Cached system (passwd) users
+ o Others
+
+NOTE: Before moving on, you will probably want to add '/dev/null' to
+/etc/shells *temporarily* so that default system authentication will
+work. REMEMBER TO TAKE IT OUT!
+
+3. TEST PROCEDURES
+
+ A. System (/etc/passwd) users testing
+
+ 1. Append the 'passwd' file from create-users.pl onto your
+ system passwd file:
+
+ # cat ./passwd >> /etc/passwd
+
+ 2. If you have shadow, append the shadow file onto /etc/shadow
+
+ # cat ./shadow >> /etc/shadow
+
+ 3. Make sure you have a DEFAULT user similar to the following
+ in your radius 'users' file:
+
+ DEFAULT Auth-Type:=System
+ Reply-Message = "Success!"
+
+ 4. Start radiusd
+
+ # /usr/local/sbin/radiusd
+
+ 5. Run radclient with 'radius.test' as the input file.
+
+ NOTE: First you need to setup a secret for your local
+ machine in the 'clients' file and use that secret below
+
+ # time /usr/local/bin/radclient -q -s -f radius.test \
+ <yourhostname> auth <secret>
+
+ NOTE: The above is to be put all on one line.
+
+ NOTE: Some systems do not have the 'time' command,
+ so you may need to break out the stopwatch instead :)
+
+ Take note of the output of radclient. If there were lots of
+ failures, something is wrong. All authentications should
+ succeed.
+
+ 6. Take note of the output from the above 'time' command.
+ The output format should be something similar to the
+ following (on linux, this for example only!):
+
+ 1.72user 0.53system 5:11.34elapsed 0%CPU
+ (0avgtext+0avgdata 0maxresident)k 0inputs+0outputs
+ (340major+29minor)pagefaults 0swaps
+
+ This means it took 5:11 (311 seconds) to authenticate
+ 10,000 users. Simple division tells us this is:
+
+ 10,000 auths / 311 seconds = 32.1543 auths/second
+
+ B. Local users testing
+
+ 1. Copy the 'radius.users' file from the script over your 'users'
+ file. Make sure you do NOT have a DEFAULT entry or you will
+ invalidate this test.
+
+ 2. Restart radiusd (kill and restart)
+
+ 3. Run radclient (See A-5 above for NOTES on this):
+
+ # time /usr/local/bin/radclient -q -s -f radius.test \
+ <yourhostname> auth <secret>
+
+ 4. Take note of the output from the above 'time' command, and
+ divide the number of auths (10,000 in this case) with the
+ number of seconds it took to complete. See A6 above for
+ more info.
+
+ C. Cached system users
+
+ 1. Set 'cache=yes' in your radiusd.conf file
+
+ 2. Restart radiusd (ie, kill it and restart, not just a HUP)
+
+ 3. Perform the same steps outlined above for testing System users (A)
+
+ D. Other methods
+
+ There is no reason why you can't use some of this to test modules
+ for PAM, SQL, LDAP, etc, but that will require a little extra
+ work on your end (ie, getting the users/passes you generated into
+ the corresponding database). However, by now you should have a
+ good idea of how to test once you do that.
+
+ Also, play around with compile options like --with-thread,
+ --with-thread-pool, etc. Run radiusd with '-s' so it runs
+ one process only, etc etc. Play around with it.
+
+4. CAVEATS
+
+The above test procedures make no allowances for users that login with
+incorrect usernames or passwords. If you want a true test of performance,
+you should add in lots of bad usernames and passwords to the radius.test
+file and then re-run 'radclient' with that file as input.
+
+Additionally, these tests make no reference to how the pre-authenticate,
+post-authenticate, and accounting methods you choose could affect server
+performance. For example, checking for simultaneous use after authenti-
+cating the user is obviously going to slow down authenticate performance.
+
+The numbers you get from this test are raw authentications/second in a
+perfect environment. Do not expect this kind of result in the real world.
+However, having tested in this manner, you will have a good idea of which
+authentication methods and compilation options give you the best base to
+start from, which is key to an efficient server.
+
+5. RESULTS
+
+I'd really rather not post results because they will vary tremendously
+with other system-specific configuration. This is exactly the reason
+you should run tests of this nature, to find what's best for *your*
+system. Good luck!
+
+
diff --git a/doc/deployment/supervise-radiusd.rst b/doc/deployment/supervise-radiusd.rst
new file mode 100644
index 0000000..e4922ed
--- /dev/null
+++ b/doc/deployment/supervise-radiusd.rst
@@ -0,0 +1,163 @@
+
+Supervising the Radiusd Daemon
+==============================
+
+Introduction
+------------
+
+We all hope that our radius daemons won't die in the middle of the
+nite stranding customer and beeping beepers. But, alas, it's going to
+happen, and when you least expect it. That's why you want a another
+process watching your radius daemon, restarting it if and when it
+dies.
+
+This text describes how to setup both the free radius daemon so that
+it is automatically restarted if the process quits unexpectedly. To
+do this, we'll use either Dan Bernstein's 'daemontools' package or the
+inittab file. Note: The radwatch script that used to be part of this
+distribution, is depreciated and SHOULD NOT BE USED.
+
+Setting Up Daemontools
+----------------------
+
+First, download (and install) daemontools from:
+
+ http://cr.yp.to/daemontools.html
+
+The latest version as of this writing is 0.70. It would be well worth
+your while to read all the documentation at that site too, as you can
+do much more with daemontools than I describe here.
+
+Next, we'll need a directory for the radius 'service' to use with
+daemontools. I usually create a dir '/var/svc' to hold all my
+daemontool supervised services. i.e.::
+
+ $ mkdir /var/svc
+ $ mkdir /var/svc/radiusd
+
+Now we just need a short shell script called 'run' in our new service
+directory that will start our daemon. The following should get you
+started::
+
+ #!/bin/sh
+ # Save as /var/svc/radiusd/run
+ exec /usr/local/sbin/radiusd -s -f
+
+Of course you'll want to make that 'run' file executable::
+
+ $ chmod +x /var/svc/radiusd/run
+
+Note, you *MUST* use the '-f' option when supervising. That option
+tells radiusd not to detach from the tty when starting. If you don't
+use that option, the daemontools will always think that radiusd has
+just died and will (try to) restart it. Not good.
+
+Now the only left to do is to start the 'supervise' command that came
+with daemontools. Do that like so::
+
+ $ supervise /var/svc/radiusd
+
+Maintenance With Daemontools
+----------------------------
+
+ Any maintenance you need to do with almost certainly be done with the
+ 'svc' program in the deamontools package. i.e.::
+
+ Shutdown radiusd:
+ $ svc -d /var/svc/radiusd
+
+ Start it back up:
+ $ svc -u /var/svc/radiusd
+
+ Send HUP to radiusd:
+ $ svc -h /var/svc/radiusd
+
+ Shutdown and stop supervising radiusd:
+ $ svc -dx /var/svc/radiusd
+
+Supervising With Inittab
+------------------------
+
+This is really pretty easy, but it is system dependent. I strongly
+suggest you read the man pages for your 'init' before playing with
+this. You can seriously hose your system if you screw up your
+inittab.
+
+Add this line (or something similar to it) to your inittab::
+
+ fr:23:respawn:/usr/local/sbin/radiusd -f -s &> /dev/null
+
+Now all that's left is to have the system reread the inittab. Usually
+that's done with one of the following::
+
+ $ telinit Q
+
+or::
+
+ $ init q
+
+Now you should see a 'radiusd' process when you issue a 'ps'. If you
+don't, try to run the radiusd command you put in inittab manually. If
+it works, that means you didn't tell the system to reread inittab
+properly. If it doesn't work, that means your radius start command is
+bad and you need to fix it.
+
+Acknowledgements
+----------------
+
+ Document author : Jeff Carneal
+ daemontools auther : Dan Bernstein
+ Further daemontool notes (below): Antonio Dias
+ Radwatch note : Andrey Melnikov
+
+Further Daemontools notes
+=========================
+
+Here are some notes by Antonia Dias sent to the free radius mailing
+list. Some of you may find this useful after reading the above and the
+docs for daemontools.
+
+Daemontools Instructions
+------------------------
+
+I am running radiusd under supervise from daemontools without
+problems. The only thing I am missing right now is an option to force
+radiusd to send log to stderr so I can manage logs better with
+multilog (also included in daemontools package). Here is the procedure
+I've been following (for Cistron RADIUS)::
+
+ $ groupadd log
+ $ useradd -g log log
+ $ mkdir /etc/radiusd
+ $ mkdir /etc/radiusd/log
+ $ mkdir /etc/radiusd/log/main
+ $ chmod +t+s /etc/radiusd /etc/radiusd/log
+ $ chown log.log /etc/radiusd/log/main
+
+Here are the contents of run files from '/etc/radiusd' and '/etc/radiusd/log'::
+
+ $ cd /etc/radiusd
+ $ cat run
+ #!/bin/sh
+ exec 2>&1
+ exec /usr/sbin/radiusd -fyzx
+ $ cd /etc/radiusd/log
+ $ cat run
+ #!/bin/sh
+ exec setuidgid log multilog t ./main
+
+ To make service wake-up do::
+
+ $ ln -sf /etc/radiusd /service
+
+ Hang-up (to reload config) it using::
+
+ $ svc -h /service/radiusd
+
+Disable (down) it using::
+
+ $ svc -d /service/radiusd
+
+Reenable (up) it using::
+
+ $ svc -u /service/radiusd
diff --git a/doc/deployment/tuning_guide b/doc/deployment/tuning_guide
new file mode 100644
index 0000000..264749f
--- /dev/null
+++ b/doc/deployment/tuning_guide
@@ -0,0 +1,58 @@
+------------ MAIN SERVER -------------
+o If you have a large user base and/or many authentication requests try
+ using a scalable authentication mechanism like ldap or sql.
+o Enable noatime on all the freeradius log files or better yet on the
+ freeradius log directory.
+o Always use the latest cvs version. It will probably contain a few
+ fixes and enhancements.
+o Always try to use the least modules possible. In particular if you
+ can avoid it do not use the detail and radwtmp (files) modules.
+ They will slow down your accounting.
+o Use the users file to only set default profiles. Do not place any
+ users there. Keep it as small as possible. Always set default
+ attributes in the users file and don't fill the user entries in
+ ldap/sql with default values. In general the ldap/sql user profiles
+ should contain user attributes only in special user cases.
+o Tune thread pool parameters to match your size requirements.
+ Set max_requests_per_server to zero to avoid server thread restarts.
+o Enlarge the timeout (10 secs) and retries (5-7) in the access servers
+ for accounting. That way you won't lose any accounting information.
+o Use well tuned Fast Ethernet connections to minimize latency.
+o freeradius is multi threaded and i/o bound. That means you should use
+ the latest OS kernels/patches for improved multi processor and
+ network performance.
+
+------------ LDAP MODULE -------------
+o Try to maximize caching in the ldap server. In particular *always*
+ enable indexing of the uid attribute (equality index) and the
+ cn attribute (equality index - the cn attribute is used to search
+ for groups). Make the ldap server entry/directory cache memory sizes
+ as large as possible. In general try allocating as much memory as you
+ can afford to your ldap server.
+o Put default profiles in ldap. User entries should only contain
+ non standard values in order to remain small and maximize the gains
+ of caching the user default/regular profiles.
+o Enable group caching in groups.
+
+------------ SQL MODULE --------------
+o Use the sql module in the session section instead of the radutmp module.
+ It works *much* quicker.
+o Create a multi column index for the (UserName,AcctStopTime) attributes especially
+ if you are using sql for double login detection.
+o If you are using mysql and you do a lot of accounting try using InnoDB for the radacct
+ table instead of MyISAM (this should be the default in all schemas)
+o Add AcctUniqueId in the accounting_stop query. Especially if you have a lot of access
+ servers or your NAS does not send very random Session-Ids. That way you will always have
+ one candidate row to search for, instead of all the rows that have the same AcctSessionId
+
+------------ COUNTER MODULE ----------
+o Enable noatime on the counter db files.
+o Tune the cache_size configuration directive to match your needs.
+ The cache size should be set to 2-3 * number of available nas ports.
+o Keep the database in a memory mapped file if you can help. Backup the
+ file every 10 mins to the disk and copy it to the memory mapped one
+ on server startup.
+
+------------ RADUTMP MODULE ----------
+o Enable noatime on the radutmp file
+o Don't use it