Zombie Clarification
James J J Hooper
jjj.hooper at bristol.ac.uk
Sat Mar 24 17:24:29 CET 2012
On 24/03/2012 13:13, Alan Buxey wrote:
> Hi,
>
> there was never any more on this thread, so just to add some final info
>
>>> Now, for whatever reason, the Windows box decides to discard some
>>> requests. Unfortunately, the error reporting is pretty weak
>>> ("discarding invalid request"). Our Windows guys are digging into
>>> this. It seems to be client specific, we suspect something with our
>>> recently changed certificate.
>>
>> I don't see how. Normal RADIUS doesn't use certificates.
>>
>> And if your home server *randomly* discards requests, then your
>> priority should be to fix that. No amount of poking FreeRADIUS will
>> make the home server magically work. No amount of poking FreeRADIUS
>> will work around the fact that the home server is broken.
>
> Microsoft decided, in their wisdom, to just discard packets that arent right.
> this affects IAS and NPS. if your policy says, for example,
>
> NAS-Port-Type = Wireless-802.11
>
> an the packet doesnt have that attribute...or its not Wireless-802.11..then the packet
> is just silently dropped. the RADIUS proxies throughout the proxy chain then
> think the server is dead.... status-server kicks in.... oh, guess what. they dont support
> that, so it stays marked dead. the remote proxies might be lucky...as their
> status-server will be answered by the proxy above them...which, if its FreeRADIUS
> or RADIATOR *will* respond in some way to show they are alive.
>
> IAS and NPS are a mess with proxied RADIUS - especially when there are policies
> involved.
Further to what Alan says above IAS/NPS can report "invalid request" if it
contains an attribute not in their dictionaries, or an attribute where the
value does not match the type in their dictionaries.
As NPS and IAS dictionaries are old, don't match the RFCs, and it seems MS
never update the dictionaries, this means NPS and IAS discard a lot of
valid packets!
If you are proxying to IAS or NPS, filter the attributes very carefully
before they hit the MS radius servers.
Regards,
James
More information about the Freeradius-Users
mailing list