Hello,
I would like to know if OpenSER supports some type of authentication credentials caching, to improve the performance when a non-local authentication service (i.e. RADIUS) is used. If it is not supported, are there any plans to include this functionality in future versions?
Bests, JB _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Hi John,
Credential caching is not support - for any of the backends (radius or sql). As far as I know, there are no plans for caching yet... Mainly because the fetching the passwd from DB is combined in a single query with caller profile fetching - see the "load_credentials" module param in auth_db module.
Regards, Bogdan
John Barry wrote:
Does anyone know of any Cacti templates for graphing the data from SNMPStats? I couldn't find anything with Google...
Thanks in advance.
Michael Young
No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.7/1285 - Release Date: 2/18/2008 5:50 AM
Hello all,
Thank you for your responses.
Indeed, I was thinking about a caching mechanisms similar to the one used in IMS, as Klaus described in the previous post.
If I store in a memory structure the authentication credentials (i.e. user and password) following some cache policy, I could use this structure to check if the user exists and check his/her identity without having to contact a remote database/radius server (where network latency typically is a bottleneck). If the user credentials are not in the cache, then OpenSER will contact the database/radius server to authenticate the user (normal procedure).
Maybe I am oversimplifying the problem. Could you help me to understand better why this is not possible?
Thanks, JB
Klaus Darilion-2 wrote:
JB74 writes:
jb,
what you describe is, of course, possible (unless user changes his/her password and cached credential don't work anymore) if your intention is JUST to authenticate the user.
if you read openser the radius authentication, you'll notice that authentication query may also return reply items that cause AVPs to be setup. for me these reply items are extremely important, because they contain all kinds of attributes associated with the authenticated user and his/her uri, and, due to they changing nature, it is not possible to cache them.
hope this explains why caching of credentials does not help to save the radius query.
-- juha
Caching authentication credentials surely speeds up the SIP digest authentication process a little bit. At the same time, it introduces a state synchronization issue because the credential database's state may differ from the credential cache state. What happens if I change a password in the database? Does it trigger a cache update?
In my opinion, these issues together with added code complexity outweigh the slight speed improvements resulting from a credential cache. Performance measurements with mysql and ldap backend have shown that openser can handle a huge number of authenticated SIP requests (>300 cps on dual xeon) without caching of auth credentials.
/Christian
JB74 wrote:
-
Bogdan-Andrei Iancu -
Christian Schlatter -
Iñaki Baz Castillo -
JB74 -
jh@tutpro.com -
John Barry
-
Klaus Darilion -
Michael Young