Error logs on freeradius 2.1.8

Alan DeKok aland at
Thu Apr 29 11:02:16 CEST 2010

Andrew Hood wrote:
> This is a generic problem with firewalls, and there appears to be no
> solution which the security paranoid will accept. If you think this is
> bad, try working with a mob who insist on dropping all ICMP traffic
> (including frag required) at some or all firewalls.

  Yup.  Breaking the net != more security

> Firewalls are normally configured to drop any established connection
> from the tables where no traffic is sent for a configurable time. This
> is to stop the tables growing uncontrollably.

  I don't understand why they care about "established" TCP connections.
 For RADIUS -> database traffic, *all* data is OK.  Who the heck cares
if it's an established connection or not?

> If you are in this unfortunate position your only solution is to enable
> TCP keepalive on all connections, and reduce the TCP keepalive timer to
> below the firewall's connection drop timer.

  I've tried that.  In some cases it works... in others it doesn't.

  The only way to fix it is to escalate the problem.  Blame the security
team for revenue loss when people can't log in because the firewall has
broken RADIUS->SQL user lookups.  That usually helps.

  Alan DeKok.

More information about the Freeradius-Users mailing list