Discarding Duplicate Request
John Douglass
john.douglass at oit.gatech.edu
Thu Oct 2 17:27:00 CEST 2014
:) Rando,
There has been much discussion on this list about that problem. IF you
are using Cisco WLC, there is a flaw in the way radius is processed
which could lead to these log messages. Here is the previous set of
threads that have some pointers as to what to look at.
Cisco WLCs use the same source port and the 8-bit ID that is used to
track radius conversations during peak times, gets cycled so fast that
it creates duplicates where there really shouldn't be. We are pushing
Cisco hard to fix this flaw in their design especially since they are
creating controllers with more and more capacity. The problem is only
going to get worse.
I highly suggest you move to radius 2.2.5 and enable the ntlm_auth
timeout and upgrade your samba to 3.6 where you can add some additional
parameters. Here are some hints that Phil Huxley shared with us that
have been helpful in making our services better. The issues haven't been
handled 100%, and there are other things to consider like if using a
Cisco WLC, enabling client exclusion, etc, etc but I don't have a ton of
info on that as I just run the radius servers.
http://lists.freeradius.org/pipermail/freeradius-users/2014-September/073929.html
- John Douglass @ Georgia Tech
PS: I really need to write up a blog post about this :)
PSS: Yes we know AD is slow and it sucks as a backend but for a lot of
us, it's what we have to deal with :)
On 10/02/2014 11:10 AM, Rando Nakarmi wrote:
> I been seeing quite a large number of message like below logged in
> radius.log lately.
>
> Discarding duplicate request from client classroom98 port 32880 - ID:
> 131 due to unfinished request 241848
>
> I read some thread, this might be the case when back-end server (i.e
> auth servers) are too slow to respond.
>
> My back-end is AD, using ntlm_auth.
> radius version 2.1.12-4
> samba version 3.5.8-68
>
> Any hints or suggestion how to resolve this would be very helpful.
>
> Most of the users get authenticated ( I don't think ntlm_auth is
> responding slow), I could not figure this out
>
> --cheers,
> Rando
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141002/6897cf46/attachment.html>
More information about the Freeradius-Users
mailing list