<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I have a question about any settings that may effect the timing of
the re-use of the "Identifier" as per the RFC:<br>
<br>
<span id="OLK_SRC_BODY_SECTION"><b>Identifier </b><br>
The Identifier field is <i>one octet</i>, and aids in matching
requests and replies. The RADIUS server can detect a duplicate
request if it has the same client source IP address and source UDP
port and Identifier within a short span of time.
<br>
<br>
I am currently running radius 2.2.0 and in my radiusd.conf I have:<br>
<br>
# max_request_time: The maximum time (in seconds) to handle a
request.<br>
#<br>
# Useful range of values: 5 to 120<br>
#<br>
max_request_time = 5 <br>
<br>
# cleanup_delay: The time to wait (in seconds) before cleaning up<br>
# a reply which was sent to the NAS.<br>
#<br>
# The RADIUS request is normally cached internally for a short
period<br>
# of time, after the reply is sent to the NAS. The reply packet
may be<br>
# lost in the network, and the NAS will not see it. The NAS will
then<br>
# re-send the request, and the server will respond quickly with
the<br>
# cached reply.<br>
#<br>
# If this value is set too low, then duplicate requests from the
NAS<br>
# MAY NOT be detected, and will instead be handled as seperate
requests.<br>
#<br>
# If this value is set too high, then the server will cache too
many<br>
# requests, and some new requests may get blocked. (See
'max_requests'.)<br>
#<br>
# Useful range of values: 2 to 10<br>
#<br>
cleanup_delay = 2 <br>
<br>
# max_requests: The maximum number of requests which the server
keeps<br>
# track of. This should be 256 multiplied by the number of
clients.<br>
# e.g. With 4 clients, this number should be 1024.<br>
#<br>
# If this number is too low, then when the server becomes busy,<br>
# it will not respond to any new requests, until the
'cleanup_delay'<br>
# time has passed, and it has removed the old requests.<br>
#<br>
# If this number is set too high, then the server will use a bit
more<br>
# memory for no real benefit.<br>
#<br>
# If you aren't sure what it should be set to, it's better to set
it<br>
# too high than too low. Setting it to 1000 per client is
probably<br>
# the highest it should be.<br>
#<br>
# Useful range of values: 256 to infinity<br>
#<br>
max_requests = 8500<br>
<br>
I have posted my wireshark screen at:<br>
<br>
<a class="moz-txt-link-freetext" href="http://johnd.oit.gatech.edu/wp-content/uploads/2013/11/wireshark-discarding-packet-1.png">http://johnd.oit.gatech.edu/wp-content/uploads/2013/11/wireshark-discarding-packet-1.png</a><br>
<br>
When I am looking at my TCPdumps (debugging duplicate requests) I
see a duplicate request come in at Frame 6963<br>
</span><br>
<span id="OLK_SRC_BODY_SECTION"><span id="OLK_SRC_BODY_SECTION">Frame
5475 at 10:20:07 - Access-Request id 76<br>
</span></span><span id="OLK_SRC_BODY_SECTION"><span
id="OLK_SRC_BODY_SECTION"><span id="OLK_SRC_BODY_SECTION">Frame
5482 at 10:20:07 - Access Challenge response to 5475 id 76<br>
</span></span>Frame 6963 at 10:20:13 - Duplicate Request says
response to this request id 76 is in frame 5482<br>
<br>
Now, Frame 6963 is a full 5 seconds past the Access-Challenge of
Frame 5482. <br>
<br>
My question is, is it the "cleanup_delay" setting that cleans up
old identifiers for re-use? <br>
<br>
Does the "max_requests" value have any effect on when the
identifiers are ready for re-use?<br>
<br>
Thanks,<br>
- John Douglass, Sr. Systems IT/Architect<br>
</span>
</body>
</html>