Hi,
We've tested with freeradius 3.2.6 in preproduction enviroment.
We've installed these packages from bookworm-backports target release (*).
In debug mode (freeradius -X) we could see several warnings like this (**).
Authentication EAP-TTLS-PAP seems to work fine.
We could make an effort and test in production next week.
The memory issue manifests after several weeks; we need a guarantee of proper
functionality during this time.
The warning seems serious. Could you give us any advice about this?
Thanks
(*)
ii freeradius 3.2.6+dfsg-2~bpo12+1 amd64
high-performance and highly configurable RADIUS server
ii freeradius-common 3.2.6+dfsg-2~bpo12+1 all
FreeRADIUS common files
ii freeradius-config 3.2.6+dfsg-2~bpo12+1 amd64
FreeRADIUS default config files
ii freeradius-ldap 3.2.6+dfsg-2~bpo12+1 amd64 LDAP
module for FreeRADIUS server
ii freeradius-utils 3.2.6+dfsg-2~bpo12+1 amd64
FreeRADIUS client utilities
ii libfreeradius3 3.2.6+dfsg-2~bpo12+1 amd64
FreeRADIUS shared library
(**)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL
!! There may be random issues with TLS connections due to this conflict.
!! The server may also crash.
!! See https://wiki.freeradius.org/modules/Rlm_ldap for more information.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
El 6/1/25 a las 15:58, Bernhard Schmidt escribió:
[No suele recibir correo electrónico de be...@debian.org. Descubra por qué esto
es importante en https://aka.ms/LearnAboutSenderIdentification ]
Hi,
>
Our RADIUS service primarily provides authentication for a Wi-Fi network
that uses the EAP-TTLS-PAP method.
Used modules include, among others, eap, ldap, linelog, pap, and sql_log.
Over 13K different users are authenticated daily.
In Debian 11, freeradius service had stable memory consumption.
After performing a dist-upgrade to Debian 12, freeradius consumes memory
without limit.
You are the first to report it, but that does not make it wrong.
Could you test with the 3.2.6 upstream version in bookworm-backports as
well? This is the current upstream version, if it happens there as well
we might have a change of upstream taking care of it.
Bernhard
--
Subdirección de Infraestruturas - Sistemas de rede
Área de Tecnoloxías da Información e Comunicacións
Universidade de Santiago de Compostela
15782 Santiago de Compostela
http://www.usc.es/atic/sistemas