RADIUS Sending Duplicate Reply
Fajar A. Nugraha
list at fajar.net
Tue Sep 6 10:51:56 CEST 2011
On Tue, Sep 6, 2011 at 3:26 PM, Det Det <det.explorer at yahoo.com> wrote:
> Hi,
> This question maybe a bit off from RADIUS, but is there a way to limit NAS
> or RADIUS to send only one access-request/access-accept in a single dial
> attempt?
You're looking at things the wrong way.
It's like you're on a beach, and there's a big sign saying "no
swimming" because the beach is infested with jellyfish, but you decide
to swim anyway. And then when the jellyfish stings you asked "how to
make it so it doesn't hurt".
> i am connecting via PPPoE. I can see from RADIUS logs receiving
> multiple access-request thus it is also giving multiple access-accept. How
> do i prevent this? Coz it is causing an issue "connection is terminated
> because the remote server did not respond in a timely manner". Then I have
> to redial again coz the IP does not get assigned to the client.
I'm guessing what happens is something like this:
- the NAS sends access-request
- radius accepts the request, and consult whatever backend it uses
(e.g. files, db, ldap, etc)
- backend processing takes a long time
- client sends the request again since radius hasn't respond
- radius accepts the request again, and notice that it's a duplicate request
- processing finally completes. since there are multiple request
received, radius sends multiple response (and logs them as duplicates)
OR
- the NAS sends access-request
- radius accepts the request, and consult whatever backend it uses
(e.g. files, db, ldap, etc)
- radius sends the response, but the response comes from different IP
address then what the NAS expects
- client sends the request again since it didn't receive expected
response from the correct IP address
- radius accepts the request again, notice that it's a duplicate
request, and simply sends the response again
If it's case #1, you need to fix the backed. Usually it involves
indexing, fixing schemas/queries, upgrading hardware, and so on.
If it's #2, the easiest way is to just register the radius's primary
IP address in client's radius server list. Another alternative is to
use "--with-udpfromto" when compiling freeradius.
--
Fajar
More information about the Freeradius-Users
mailing list