Re-transmits arriving via a different proxy / EAP duplicate detection

Alan DeKok aland at
Wed Oct 10 13:26:39 CEST 2012

Phil Mayers wrote:
> First, the FreeRADIUS duplicate detect / retransmit logic doesn't apply
> because the source IP, shared secret, Proxy-State and
> Message-Authenticator are all different, even though all other
> attributes are identical. This is correct behaviour AFAICT from the RFCs.
> Second, because the retransmits aren't eaten by the duplicate detection,
> they arrive as real packets in the server core, but are rejected because
> the "State" attribute is no longer valid - this is because FR mutates
> "State" on every round-trip, mixing in the EAP type/id/exchange number.

  There is a solution.  But it involves new code.

> Does anyone have any thoughts on the matter? Absent RADIUS-over-TCP,
> this seems like a really tricky one...

  Nah.  Create a new "state tracking" module.

a) runs before sending reply, and caches State -> request/reply

b) runs on receiving packet, and looks for duplicate state

   if found, and request looks similar, send duplicate reply

  That would bypass all of the EAP code, and add another layer of
duplicate detection after the "packets are duplicate" code.

  There should really also be a state tracking API in the server core.
Certain modules (i.e. securid) roll their own, and it's not overly

  Alan DeKok.

More information about the Freeradius-Users mailing list