Cleanup of the "id" between NAS and radius server

Alan DeKok aland at
Wed Nov 20 05:29:31 CET 2013

John Douglass wrote:
>  I have a question about any settings that may effect the timing of the
> re-use of the "Identifier" as per the RFC:

  The re-use is determined *solely* by the NAS.  What's in your
radiusd.conf doesn't matter.

> I have posted my wireshark screen at:
> When I am looking at my TCPdumps (debugging duplicate requests) I see a
> duplicate request come in at Frame 6963
> Frame 5475 at 10:20:07 - Access-Request id 76
> Frame 5482 at 10:20:07 - Access Challenge response to 5475 id 76
> Frame 6963 at 10:20:13 - Duplicate Request says response to this request
> id 76 is in frame 5482

  What you're missing (and Wireshark has wrong) is the length.  Frame
5482 has length 153.  Frame 6963 has length 264.

  They are *not* duplicates.  They are, in face, completely different.
The NAS didn't get a response to 5482.  So it re-used the ID, which it's
allowed to do.  And wireshark didn't notice.

> Now, Frame 6963 is a full 5 seconds past the Access-Challenge of Frame
> 5482.

  Which doesn't matter.  The NAS is allowed to give up on the request
0.1s after it's sent.  It's suggested to *not* give up that quickly, but
it's allowed.

> My question is, is it the "cleanup_delay" setting that cleans up old
> identifiers for re-use?

  No.  That has NOTHING to do with IDs.  The NAS is in charge of
allocating IDs.

> Does the "max_requests" value have any effect on when the identifiers
> are ready for re-use?

  No.  See the answer above.

  Alan DeKok.

More information about the Freeradius-Users mailing list