Radius Timeout instead of Access-Reject

Alan DeKok aland at deployingradius.com
Tue Aug 7 20:35:58 CEST 2012


Antonio Modesto wrote:
> Hi,
> 
> I work at an ISP in Brazil, our main radius server is running freeradius
> 1.X. I'm configuring a new server with freeradius 2.X and doing some
> tests to see if I find any problem before putting it on production. So
> far I've found a little problem that doesn't disable me to put it in
> production, but can confuse in case of a radius failure. When an
> authentication failure happens, on the nas it appears that the radius
> server is not responding, it shows a "Radius timeout" message, here is
> the output of the radius debug:

  The timeouts on the NAS are set WAY too low.

> Delaying reject of request 4 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> rad_recv: Access-Request packet from host 192.168.2.100 port 35710,
> id=86, length=145
> Waiting to send Access-Reject to client teste port 35710 - ID: 86

  i.e. the NAS didn't see a reply, and retransmitted.

> Waking up in 0.6 seconds.
> rad_recv: Access-Request packet from host 192.168.2.100 port 35710,
> id=86, length=145
> Waiting to send Access-Reject to client teste port 35710 - ID: 86

  And retransmitted again 0.3 seconds later.

> Waking up in 0.3 seconds.
> Sending delayed reject for request 4
> Sending Access-Reject of id 86 to 192.168.2.100 port 35710

  And then the server responded 0.3 seconds later.

  Fix the NAS so it doesn't have *ridiculous* timeouts.  RADIUS timeouts
are normally in the multi-second range.  Having the NAS retransmit
multiple times a second is stupid, wrong, and will create problems.

  Alan DeKok.


More information about the Freeradius-Users mailing list