Radius Timeout instead of Access-Reject

Stefan Winter stefan.winter at restena.lu
Wed Aug 8 09:59:08 CEST 2012 

Hi,

there's reject_delay in radiusd.conf

It is typcially set to one second to prevent some attacks. You could set
it to zero and then the reject may come through faster.

Still, 300 ms is *really* low even for that - depending on the time your
auth backend needs to even determine whether it was success or failure
may take longer than that.

Stefan

On 07.08.2012 20:55, Antonio Modesto wrote:
> You're right, it worked. The default mikrotik timeout is 300ms, I've set
> it to 5000 ms and I've got the right answer. One more question, Though
> I'll reconfigure all the timeout's on my nas'es, why doesn't this
> problem happen with freeradius 1.X? Is that normal? Or is it something
> that's causing my freeradius 2.x to take longer to reply the requests
> 
> 2012/8/7 Alan DeKok <aland at deployingradius.com
> <mailto:aland at deployingradius.com>>
> 
>     Antonio Modesto wrote:
>     > Hi,
>     >
>     > I work at an ISP in Brazil, our main radius server is running
>     freeradius
>     > 1.X. I'm configuring a new server with freeradius 2.X and doing some
>     > tests to see if I find any problem before putting it on production. So
>     > far I've found a little problem that doesn't disable me to put it in
>     > production, but can confuse in case of a radius failure. When an
>     > authentication failure happens, on the nas it appears that the radius
>     > server is not responding, it shows a "Radius timeout" message, here is
>     > the output of the radius debug:
> 
>       The timeouts on the NAS are set WAY too low.
> 
>     > Delaying reject of request 4 for 1 seconds
>     > Going to the next request
>     > Waking up in 0.9 seconds.
>     > rad_recv: Access-Request packet from host 192.168.2.100 port 35710,
>     > id=86, length=145
>     > Waiting to send Access-Reject to client teste port 35710 - ID: 86
> 
>       i.e. the NAS didn't see a reply, and retransmitted.
> 
>     > Waking up in 0.6 seconds.
>     > rad_recv: Access-Request packet from host 192.168.2.100 port 35710,
>     > id=86, length=145
>     > Waiting to send Access-Reject to client teste port 35710 - ID: 86
> 
>       And retransmitted again 0.3 seconds later.
> 
>     > Waking up in 0.3 seconds.
>     > Sending delayed reject for request 4
>     > Sending Access-Reject of id 86 to 192.168.2.100 port 35710
> 
>       And then the server responded 0.3 seconds later.
> 
>       Fix the NAS so it doesn't have *ridiculous* timeouts.  RADIUS timeouts
>     are normally in the multi-second range.  Having the NAS retransmit
>     multiple times a second is stupid, wrong, and will create problems.
> 
>       Alan DeKok.
>     -
>     List info/subscribe/unsubscribe? See
>     http://www.freeradius.org/list/users.html
> 
> 
> 
> 
> -- 
> Atenciosamente,
> *
> Antônio Modesto
> 
> Gerente de TI*
> 
> 
> 
> 
> 
> Praça Getúlio Vargas, 77 – Sala 308 – Centro
> 
> Santo Antônio do Monte – MG – CEP: 35560-000
> Tel:(37) 3281-2800
> 
> Contato: isimples at isimples.com.br <mailto:isimples at isimples.com.br>
> http://www.isimples.com.br
> 
> 
> Aviso:Esta mensagem e quaisquer arquivos em anexo podem conter
> informações confidenciais e/ou
> 
> privilegiadas. Se você não for o destinatário ou a pessoa autorizada a
> receber esta mensagem, por favor, não
> 
> leia, copie, repasse, imprima, guarde, nem tome qualquer ação baseada
> nessas informações. Notifique o
> 
> remetente imediatamente por e-mail e apague a mensagem permanentemente.
> Atenção: embora a Isimples
> 
> Telecom, tome seus cuidados para garantir a ausência de vírus neste
> e-mail, a empresa não se responsabiliza
> 
> por quaisquer perdas ou danos decorrentes do uso da mensagem e seus
> anexos. A segurança e ausência de
> 
> erros na transmissão do e-mail não podem ser garantidas, já que as
> informações podem ser interceptadas,
> 
> corrompidas, perdidas, destruídas, atrasadas, chegarem incompletas, ou,
> ainda, conter vírus. Recomendamos
> 
> checar se o e-mail e seus anexos contém vírus, uma vez que nem a
> Isimples Telecom ou o remetente se
> 
> responsabilizam pela transmissão destes.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120808/0db9ddc3/attachment-0001.pgp>

More information about the Freeradius-Users mailing list