Upstream NAS flooding my radius

Fajar A. Nugraha list at fajar.net
Thu Dec 15 22:48:21 CET 2011


On Fri, Dec 16, 2011 at 1:02 AM, Nathan M <locu.lists at gmail.com> wrote:
> @Fajar - the intent in having them dropped is exactly that.  I don't
> want the end-user trying to authenticate to fail authentication, I do
> want the NAS to retry.  I just want to control how quickly it can
> retry from my end.

Have you actually tried that? Your "solution" may actually be worse
than the original problem.

In my system, when radius reponds too late, the NAS will either:
- mark the radius server dead, OR
- have ridiculously high load that it's unable to function correctly,
due to the high number of ongoing authentication request.
In either case, the user will have to reauthenticate anyway. This is
usually not a problem, since most of my clients are ADSL with the
modem doing automatic reauthentication as needed.

That's why is better to respond as quickly as possible, without any
delay. Even if the response is reject.

-- 
Fajar




More information about the Freeradius-Users mailing list