Cleanup of the "id" between NAS and radius server
John Douglass
john.douglass at oit.gatech.edu
Tue Nov 19 17:34:55 CET 2013
I have a question about any settings that may effect the timing of the
re-use of the "Identifier" as per the RFC:
*Identifier *
The Identifier field is /one octet/, and aids in matching requests and
replies. The RADIUS server can detect a duplicate request if it has the
same client source IP address and source UDP port and Identifier within
a short span of time.
I am currently running radius 2.2.0 and in my radiusd.conf I have:
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Useful range of values: 5 to 120
#
max_request_time = 5
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 2
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 8500
I have posted my wireshark screen at:
http://johnd.oit.gatech.edu/wp-content/uploads/2013/11/wireshark-discarding-packet-1.png
When I am looking at my TCPdumps (debugging duplicate requests) I see a
duplicate request come in at Frame 6963
Frame 5475 at 10:20:07 - Access-Request id 76
Frame 5482 at 10:20:07 - Access Challenge response to 5475 id 76
Frame 6963 at 10:20:13 - Duplicate Request says response to this request
id 76 is in frame 5482
Now, Frame 6963 is a full 5 seconds past the Access-Challenge of Frame
5482.
My question is, is it the "cleanup_delay" setting that cleans up old
identifiers for re-use?
Does the "max_requests" value have any effect on when the identifiers
are ready for re-use?
Thanks,
- John Douglass, Sr. Systems IT/Architect
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131119/9849afec/attachment.html>
More information about the Freeradius-Users
mailing list