Robust Authentication Proxying

Philip Molter hrunting at hrunting.org
Fri Jul 10 15:41:34 CEST 2009


Ivan Kalik wrote:
>> Yeah,that's what I'm doing.  The problem is that the retries are not
>> being sent to a different home server (or any home server).  They are
>> being dropped as retransmits because internally, freeradius is
>> tracking that no reply was sent to them earlier.  I have tried
>> treaking cleanup_delay to 0 or 1 to flush these out sooner, but it
>> does not work -- they do not appear to be tracked the same way as
>> normal responses.  Here are the debug messages from radiusd -X:
>>
>> rad_recv: Access-Request packet from host 127.0.0.1 port 47163,
>> id=155, length=59
>> Ignoring retransmit from client SERVERS port 47163 - ID: 155, no reply
>> was configured
> 
> Yes, length of that is controlled by response_window. Server will ignore
> retransmits while waiting for response. If you shorten response_window
> home server will be marked as zombie faster.

I must be missing something, because even after the home_server has been 
marked as a zombie, the proxy is still ignoring the retransmits. 
Furthermore, it's taking much longer than the response_window for the 
home_server to be marked as a zombie.

I have a response_window of 1, trying to force the home_server to be 
marked zombie as fast as possible.  Here are the log messages (I've 
stripped out test packet contents) for the three client attempts using 
radtest, which sends 3 packets for a total processing time of 15 seconds:

rad_recv: Access-Request packet from host 127.0.0.1 port 39091, id=56, 
length=59
+- entering group authorize {...}
++[control] returns notfound
+- entering group pre-proxy {...}
[attr_filter.pre-proxy]         expand: %{Realm} -> DEFAULT
  attr_filter: Matched entry DEFAULT at line 50
++[attr_filter.pre-proxy] returns updated
Sending Access-Request of id 175 to xxx.xxx.xxx.12 port 1812
Proxying request 0 to home server xxx.xxx.xxx.12 port 1812
Sending Access-Request of id 175 to xxx.xxx.xxx.12 port 1812
Going to the next request
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 39091, id=56, 
length=59
Sending duplicate proxied request to home server xxx.xxx.xxx.12 port 
1812 - ID: 175
Sending Access-Request of id 175 to xxx.xxx.xxx.12 port 1812
Rejecting request 0 due to lack of any response from home server 
xxx.xxx.xxx.12 port 1812
   Found Post-Proxy-Type
+- entering group Fail {...}
++[control] returns noop
++- entering policy do_not_respond {...}
+++[control] returns noop
+++[handled] returns handled
++- policy do_not_respond returns handled
Going to the next request
PROXY: Marking home server xxx.xxx.xxx.12 port 1812 as zombie (it looks 
like it is dead).
Sending Status-Server of id 81 to xxx.xxx.xxx.12 port 1812
         Message-Authenticator := 0x00000000000000000000000000000000
         NAS-Identifier := "Status Check. Are you alive?"
Waking up in 3.9 seconds.
Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 39091, id=56, 
length=59
Ignoring retransmit from client SERVERS port 39091 - ID: 56, no reply 
was configured
Waking up in 2.9 seconds.
Sending Status-Server of id 37 to xxx.xxx.xxx.12 port 1812
         Message-Authenticator := 0x00000000000000000000000000000000
         NAS-Identifier := "Status Check. Are you alive?"
Waking up in 3.9 seconds.
Waking up in 1.6 seconds.



More information about the Freeradius-Users mailing list