Cleanup of the "id" between NAS and radius server
Alan DeKok
aland at deployingradius.com
Wed Nov 20 05:29:31 CET 2013
John Douglass wrote:
> I have a question about any settings that may effect the timing of the
> re-use of the "Identifier" as per the RFC:
The re-use is determined *solely* by the NAS. What's in your
radiusd.conf doesn't matter.
> I have posted my wireshark screen at:
>
> http://johnd.oit.gatech.edu/wp-content/uploads/2013/11/wireshark-discarding-packet-1.png
>
> When I am looking at my TCPdumps (debugging duplicate requests) I see a
> duplicate request come in at Frame 6963
>
> Frame 5475 at 10:20:07 - Access-Request id 76
> Frame 5482 at 10:20:07 - Access Challenge response to 5475 id 76
> Frame 6963 at 10:20:13 - Duplicate Request says response to this request
> id 76 is in frame 5482
What you're missing (and Wireshark has wrong) is the length. Frame
5482 has length 153. Frame 6963 has length 264.
They are *not* duplicates. They are, in face, completely different.
The NAS didn't get a response to 5482. So it re-used the ID, which it's
allowed to do. And wireshark didn't notice.
> Now, Frame 6963 is a full 5 seconds past the Access-Challenge of Frame
> 5482.
Which doesn't matter. The NAS is allowed to give up on the request
0.1s after it's sent. It's suggested to *not* give up that quickly, but
it's allowed.
> My question is, is it the "cleanup_delay" setting that cleans up old
> identifiers for re-use?
No. That has NOTHING to do with IDs. The NAS is in charge of
allocating IDs.
> Does the "max_requests" value have any effect on when the identifiers
> are ready for re-use?
No. See the answer above.
Alan DeKok.
More information about the Freeradius-Users
mailing list