preventing multiple authentication attempts for up to 2 minutes.
I am using nlm_python plugin to trigger an out-of-band authentication and get a result typically completed in about 20 seconds but should not time out for two minutes. When I run radtest and a duplicate request comes in I get (0) Ignoring duplicate packet from client localhost port 32940 - ID: 2 due to unfinished request in component authenticate module python in the log. However, in an actual login attempt from a 3rd party system configured to use this radius instance I often see a second authentication attempt almost immediately started while the first is still in progress. How can I prevent this? I set idle timeouts in clients.conf and sites-available/default to 120. What else is needed? Thanks, Jim
On Fri, Mar 18, 2016 at 09:14:43AM -0400, Jim Whitescarver wrote:
When I run radtest and a duplicate request comes in I get
(0) Ignoring duplicate packet from client localhost port 32940 - ID: 2 due to unfinished request in component authenticate module python
OK, that makes sense. First still in progress when the duplicate comes in.
in the log. However, in an actual login attempt from a 3rd party system configured to use this radius instance I often see a second authentication attempt almost immediately started while the first is still in progress.
How can I prevent this?
Update timers on the remote system to not retry so quickly? If there has been no reply to the client, then any other requests sent are down to the remote client, not FreeRADIUS. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
"Update timers on the remote system to not retry so quickly?" I don't think so. Radtest sends three requests just seconds apart, and I get the correct result every time. (0) Ignoring duplicate packet from client localhost port 32940 - ID: 2 due to unfinished request in component authenticate module python There must be something else causing the problem. Could it somehow be that the remote client is not sending the retries quickly enough? I have no control over the remote client. I suppose I could hack radtest to try to duplicate the problem. I was hoping there might be something simple I have overlooked. On Fri, Mar 18, 2016 at 9:22 AM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Fri, Mar 18, 2016 at 09:14:43AM -0400, Jim Whitescarver wrote:
When I run radtest and a duplicate request comes in I get
(0) Ignoring duplicate packet from client localhost port 32940 - ID: 2 due to unfinished request in component authenticate module python
OK, that makes sense. First still in progress when the duplicate comes in.
in the log. However, in an actual login attempt from a 3rd party system configured to use this radius instance I often see a second authentication attempt almost immediately started while the first is still in progress.
How can I prevent this?
Update timers on the remote system to not retry so quickly?
If there has been no reply to the client, then any other requests sent are down to the remote client, not FreeRADIUS.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Mar 18, 2016 at 09:55:00AM -0400, Jim Whitescarver wrote:
"Update timers on the remote system to not retry so quickly?"
I don't think so. Radtest sends three requests just seconds apart, and I get the correct result every time.
(0) Ignoring duplicate packet from client localhost port 32940 - ID: 2 due to unfinished request in component authenticate module python
OK, I misunderstood and thought you meant it was logging that for the remote client.
There must be something else causing the problem.
I would hazard a guess that the client is not getting a response "quick enough", and starting a new request with a different RADIUS ID, rather than just retrying the existing request. You should see that in the debug output. Compare the request ID between the duplicates from radtest, and the remote client/NAS. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Mar 18, 2016, at 9:14 AM, Jim Whitescarver <jimscarver@gmail.com> wrote:
I am using nlm_python plugin to trigger an out-of-band authentication and get a result typically completed in about 20 seconds but should not time out for two minutes.
FYI, most RADIUS clients (i.e. NAS, WiFi AP, etc.) will give up after 30 seconds.
When I run radtest and a duplicate request comes in I get
(0) Ignoring duplicate packet from client localhost port 32940 - ID: 2 due to unfinished request in component authenticate module python
That's what's supposed to happen...
in the log. However, in an actual login attempt from a 3rd party system configured to use this radius instance I often see a second authentication attempt almost immediately started while the first is still in progress.
How can I prevent this?
Fix the NAS so it isn't broken. The NAS is supposed to send a *duplicate* packet. Not send a *new* packet.
I set idle timeouts in clients.conf and sites-available/default to 120. What else is needed?
Throw your NAS in the garbage, and buy a new NAS. FreeRADIUS doesn't control how the NAS behaves. Alan DeKok.
participants (3)
-
Alan DeKok -
Jim Whitescarver -
Matthew Newton