On 09/10/2011 11:45 PM, Alan DeKok wrote:
rihad wrote:
BTW, I'm not sure why, but under comparable workloads openradius does not exhibit this problem. Look at the source code to OpenRADIUS. It doesn't do duplicate detection that's suggested by RFC 5080 (which I'm the author of). This is understandable, because the most recent release of OpenRADIUS is 4 years ago, before RFC 5080 was published.
So OpenRADIUS is worse than FreeRADIUS. It will process both the old and the new request, which *increases* the load on your system. And it *won't* tell you that there's a problem.
You are making a very, very, common mistake. You see an error message, and you're trying to get rid of the error message. You are *not* trying to understand the problem. You are *not* trying to solve the real problem.
Go find out why something is blocking FreeRADIUS. And this is bad, too:
The duplicate requests come from PPPoE clients after they fail to receive a response within 5 seconds or so. Your NAS is broken. Giving up on requests after 5 seconds is *stupid*. RFC 5080 suggests a better method. RADIUS clients in 1993 had better methods than "give up after 5s".
AFAIK it's not the NAS decision per se to resend the auth after about 5 seconds, but clients' ADSL modems'.
Use a NAS that isn't broken. Fix your database so it can handle the load.
*Don't* go poking at FreeRADIUS. It's fine.
Alan DeKok.