Issue with EAP authentication on packet loss

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Apr 25 12:37:01 CEST 2018



> On Apr 25, 2018, at 9:09 PM, jm+freeradiususer at roth.lu wrote:
> 
> 
> On 4/25/2018 10:55 AM, Arran Cudbard-Bell wrote:
>> What's happening are there are internal timers that cleanup the session information (keyed off the State attribute), so when that retransmission comes in the session has already been cleared out.
>> 
>> In v3.0.x the state tree cleanup time is main_config.max_request_time * 10.
> 
> I don't believe this applies here. max_request_time * 10 would be 300 seconds.
> The second attempt from the NAS comes in after 15 seconds. So there's plenty of time.

Ah then what's happening is the state entry is being removed from the tree when the request is processed, and a new entry inserted for the next round.

When the response is sent that's cached by the server and that's controlled by another config item which is cleanup_delay.

When your request is coming in it must be after cleanup delay, so it's treated as a new request and the state lookup code fails because the previous entry has already been removed.

> BTW this is happening every now and then only. I don't think that's abnormal,

It's pretty abnornal for the responses not to reach or be processed by the NAS.

> but it's not cool
> when reauthentications are being used and users are disconnected for a few minutes until the NAS retries the a completely new authentication.

Increase cleanup_delay, decrease retransmission interval on your NAS, prioritise RADIUS traffic so it's not lost, fix any odd things between the NAS and the RADIUS server.

-Arran





More information about the Freeradius-Users mailing list