Cleanup of the "id" between NAS and radius server

John Douglass john.douglass at oit.gatech.edu
Tue Nov 19 17:34:55 CET 2013


I have a question about any settings that may effect the timing of the 
re-use of the "Identifier" as per the RFC:

*Identifier *
The Identifier field is /one octet/, and aids in matching requests and 
replies. The RADIUS server can detect a duplicate request if it has the 
same client source IP address and source UDP port and Identifier within 
a short span of time.

I am currently running radius 2.2.0 and in my radiusd.conf I have:

#  max_request_time: The maximum time (in seconds) to handle a request.
#
#  Useful range of values: 5 to 120
#
max_request_time = 5

#  cleanup_delay: The time to wait (in seconds) before cleaning up
#  a reply which was sent to the NAS.
#
#  The RADIUS request is normally cached internally for a short period
#  of time, after the reply is sent to the NAS.  The reply packet may be
#  lost in the network, and the NAS will not see it.  The NAS will then
#  re-send the request, and the server will respond quickly with the
#  cached reply.
#
#  If this value is set too low, then duplicate requests from the NAS
#  MAY NOT be detected, and will instead be handled as seperate requests.
#
#  If this value is set too high, then the server will cache too many
#  requests, and some new requests may get blocked.  (See 'max_requests'.)
#
#  Useful range of values: 2 to 10
#
cleanup_delay = 2

#  max_requests: The maximum number of requests which the server keeps
#  track of.  This should be 256 multiplied by the number of clients.
#  e.g. With 4 clients, this number should be 1024.
#
#  If this number is too low, then when the server becomes busy,
#  it will not respond to any new requests, until the 'cleanup_delay'
#  time has passed, and it has removed the old requests.
#
#  If this number is set too high, then the server will use a bit more
#  memory for no real benefit.
#
#  If you aren't sure what it should be set to, it's better to set it
#  too high than too low.  Setting it to 1000 per client is probably
#  the highest it should be.
#
#  Useful range of values: 256 to infinity
#
max_requests = 8500

I have posted my wireshark screen at:

http://johnd.oit.gatech.edu/wp-content/uploads/2013/11/wireshark-discarding-packet-1.png

When I am looking at my TCPdumps (debugging duplicate requests) I see a 
duplicate request come in at Frame 6963

Frame 5475 at 10:20:07 - Access-Request id 76
Frame 5482 at 10:20:07 - Access Challenge response to 5475 id 76
Frame 6963 at 10:20:13 - Duplicate Request says response to this request 
id 76 is in frame 5482

Now, Frame 6963 is a full 5 seconds past the Access-Challenge of Frame 
5482.

My question is, is it the "cleanup_delay" setting that cleans up old 
identifiers for re-use?

Does the "max_requests" value have any effect on when the identifiers 
are ready for re-use?

Thanks,
- John Douglass, Sr. Systems IT/Architect
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131119/9849afec/attachment.html>


More information about the Freeradius-Users mailing list