MAX_PACKET_LEN setting limiting number of Cisco- Avpair's

Niall Browne nbrowne at Yodlee.com
Wed Jun 29 00:10:51 CEST 2005


Hi

After looking through the source code on v 1.148.2.3 I can see that the
reason that cisco-avpair += within the users file is not being sent to the
firewall for ACL's above a certain number is due to the fact that the
maximum Radius Packet size is 4k.

 This is coded under radius.c for max_packet_len 4096

 I can modify the entry to increase the packets size and recompile, which
may work in that further cisco-avpair +=  may be pushed to the firewall, but
this will probably cause a number of other problems.

 Apart from this is there any other way to increase the number of
Cisco-Avpair's within freeradius to be pushed to a firewall or is this the
maximum ?

Thanks,
 Niall

> _____________________________________________ 
> From: 	Niall Browne  
> Sent:	Tuesday, June 28, 2005 10:20 AM
> To:	'freeradius-users at lists.freeradius.org'
> Subject:	RE: Issue with increasing the number of ACL's in users file
> 
> I sent this week and did not receive a response.
> 
> Since then I have again gone through all files in detail, viewed countless
> debugs, and searched all past posts re freeradius, with no success.
> 
> Anyone have any idea what may be causing this or have seen a similar
> problem in the past ?
> 
> Thanks,
>  Niall
>  
>  
> 
> _____________________________________________ 
> From: 	Niall Browne  
> Sent:	Wednesday, June 22, 2005 8:49 PM
> To:	'freeradius-users at lists.freeradius.org'
> Subject:	Issue with increasing the number of ACL's in users file
> 
> Hi
> 
>  I am having a problem with an apparent limit on ACL's on my freeradius
> servers. I have been running this servers for a number of years, and have
> always had the number of ACL's on the users file below 52, and have never
> had any problems.
> 
>  I noticed as soon as I increased the ACL's above 52  it appeared to
> authenticate in the logs, however the auth connection through Cisco VPN
> simply continued to try to authenticate and nothing happened. As soon as I
> removed the ACL's below 52 and restarted it works fine.
> 
> I dumped the logs 
> 
>  /usr/local/freeradius/sbin/radiusd -p 1647 -sfxxyz -l stdout
> 
>   When I then auth'd and viewed the stdout logs, they are identical for
> <52 and then >52 (when compared). The only difference is that the ACL's
> after the magic 52 mark do not show in the stout, and this causes my
> timeout to fail. When I revert to <52 I can see the last ACL's and all
> works fine.
> 
>   I have checked through the configs including radiusd.conf however I
> cannot find a hard coded limitation on ACL's anywhere.
> 
>   Is anyone aware of how to resolve this ?
> 
> Thanks in advance,
>  Niall
>  
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050628/2f45582d/attachment.html>


More information about the Freeradius-Users mailing list