lifetime and idle_timeout in clients.conf

Alan DeKok aland at deployingradius.com
Fri Apr 13 17:04:45 CEST 2012 

Jason Rohm wrote:
> I've been having some issues with proxy authentications failing in a
> federated TCP/TLS configuration. Investigation shows that the connections
> are failing with an error on the server end of "Info: Ignoring new
> connection due to client max_connections". A little more digging seems to
> show that the connections are not being gracefully closed. I suspect this
> is due to a firewall cleaning up idle TCP translation slots since there
> are currently few authentication attempts.

  Don't do that.  That kind of a configuration on a firewall is bad.

> I've seen the lifetime keyword in a number of sample configurations here
> and the configuration parser seems to take it when I run the service in
> debug mode.

  Uh... you can't just add random keywords and expect it to work.

  *All* of the keywords that work are in the default configuration
files, and are well documented.  If a keyword doesn't exist in the
default config, it's because it doesn't work.

> However, the idle_timeout keyword is silently ignored and the
> server doesn't seem to be cleaning up old connections based on either the
> idle_timeout or the max lifetime. I can't find references to either
> lifetime or idle_timeout in the sample configurations or a quick review of
> the documentation as it relates to clients.conf.

  Because it doesn't exist.

> So my questions areŠ
> 
> 1.) Are the keywords lifetime and idle_timeout supported in clients.conf?

  No.

> 2.) If they are, is there a known bug that would cause them to not work?
> 3.) If they aren't, would there be value to someone other than me to add
> this feature? (Yes, I know this means I volunteer, lol).)

  Sure, send a patch.

  However, fixing that will require some in-depth knowledge of the core
server APIs.

> 4.) In addition to lifetime and idle_timeout, would something like a keep
> alive be reasonable?

  That's up to the client.

  When FreeRADIUS acts as client (i.e. proxy to home server), it will
send watchdog packets.

  Alan DeKok.

More information about the Freeradius-Users mailing list