FreeRADIUS can't make progress under certain load

Arran Cudbard-Bell a.cudbardb at
Sat Sep 10 20:37:30 CEST 2011

On 10 Sep 2011, at 20:23, Arran Cudbard-Bell wrote:

>> I'm not blaming anyone. Thanks for the great software and for sharing it with us. The great thing about open source is that I can tweak it to my needs. I'm not saying this is the best way to get rid of the problem. But it may be the easiest and the quickest.
>> -
> It's a really bad way to fix the problem. You're just masking the underlying issue doing this.
> You need to figure out why your backend authentication system is taking more than 5 seconds to complete a request. Its that simple.
> I'm suggesting lowering the max thread count to reduce the number of requests running in parallel to take load of your backend system, so it starts responding before the NAS retransmits the packet.
> Likely there's much more that could be done to deal with high volumes of requests, but we would need to know what modules you're using with the server, and so far you've ignored all requests for this information.
> If you just want to throw new requests away once the number queued gets stupidly large, use the undocumented parameter 'max_queue_size' in the threadpool stanza.
> One the server has X number of pending requests, it'll start throwing new ones away, relying on the NAS' retransmit behaviour to eventually get the request processed.
> -Arran
> Arran Cudbard-Bell
> a.cudbardb at

Your NAS is also behaving very strangely. FreeRADIUS only gives up on processing a request if a request with a duplicate ID, SRC IP, and SRC PORT but a different REQUEST AUTHENTICATOR is received.

When a NAS retransmits it should use the same ID, SRC IP, SRC PORT and REQUEST AUTHENTICATOR.

Coming back to your first message, it could be than Open RADIUS implements different logic for processing retransmits and so you don't see the problem... The wrong logic in terms of standards compliance, but something that works around the broken NAS.

If you have a example of the NAS you're using, point it at a real IP, but with no RADIUS server running, try and authenticate, and capture the packets.

We'll be able to tell you very easily weather your NAS has implemented the correct retransmit behaviour.


Arran Cudbard-Bell
a.cudbardb at

RADIUS - Waging war on ignorance and apathy one Access-Challenge at a time.

More information about the Freeradius-Devel mailing list