preventing multiple authentication attempts for up to 2 minutes.
Alan DeKok
aland at deployingradius.com
Fri Mar 18 22:10:38 CET 2016
On Mar 18, 2016, at 9:14 AM, Jim Whitescarver <jimscarver at gmail.com> wrote:
>
> I am using nlm_python plugin to trigger an out-of-band authentication and
> get a result typically completed in about 20 seconds but should not time
> out for two minutes.
FYI, most RADIUS clients (i.e. NAS, WiFi AP, etc.) will give up after 30 seconds.
> When I run radtest and a duplicate request comes in I get
>
> (0) Ignoring duplicate packet from client localhost port 32940 - ID: 2 due
> to unfinished request in component authenticate module python
That's what's supposed to happen...
> in the log. However, in an actual login attempt from a 3rd party system
> configured to use this radius instance I often see a second authentication
> attempt almost immediately started while the first is still in progress.
>
> How can I prevent this?
Fix the NAS so it isn't broken. The NAS is supposed to send a *duplicate* packet. Not send a *new* packet.
> I set idle timeouts in clients.conf and sites-available/default to 120.
> What else is needed?
Throw your NAS in the garbage, and buy a new NAS.
FreeRADIUS doesn't control how the NAS behaves.
Alan DeKok.
More information about the Freeradius-Users
mailing list