Radius Timeout instead of Access-Reject
Alan DeKok
aland at deployingradius.com
Tue Aug 7 20:35:58 CEST 2012
Antonio Modesto wrote:
> Hi,
>
> I work at an ISP in Brazil, our main radius server is running freeradius
> 1.X. I'm configuring a new server with freeradius 2.X and doing some
> tests to see if I find any problem before putting it on production. So
> far I've found a little problem that doesn't disable me to put it in
> production, but can confuse in case of a radius failure. When an
> authentication failure happens, on the nas it appears that the radius
> server is not responding, it shows a "Radius timeout" message, here is
> the output of the radius debug:
The timeouts on the NAS are set WAY too low.
> Delaying reject of request 4 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> rad_recv: Access-Request packet from host 192.168.2.100 port 35710,
> id=86, length=145
> Waiting to send Access-Reject to client teste port 35710 - ID: 86
i.e. the NAS didn't see a reply, and retransmitted.
> Waking up in 0.6 seconds.
> rad_recv: Access-Request packet from host 192.168.2.100 port 35710,
> id=86, length=145
> Waiting to send Access-Reject to client teste port 35710 - ID: 86
And retransmitted again 0.3 seconds later.
> Waking up in 0.3 seconds.
> Sending delayed reject for request 4
> Sending Access-Reject of id 86 to 192.168.2.100 port 35710
And then the server responded 0.3 seconds later.
Fix the NAS so it doesn't have *ridiculous* timeouts. RADIUS timeouts
are normally in the multi-second range. Having the NAS retransmit
multiple times a second is stupid, wrong, and will create problems.
Alan DeKok.
More information about the Freeradius-Users
mailing list