[EXT] Re: Question on client retransmit behavior
Brian Julin
BJulin at clarku.edu
Thu Apr 25 23:58:53 UTC 2024
Alan DeKok <aland at deployingradius.com> wrote:
> • The higher layer is responsible for re-transmission within a single authentication attempt,
> and should protect communication with the Authentication Server with retransmissions appropriate to the transport use.
>
> and
>
> Correct protocol operation depends upon the use of timer values by the Supplicant higher layer functions that are
> compatible with those used by the Authenticator’s higher layer functions to retransmit EAP-Requests.
> There is no automatic means of communicating changes in timer values between Authenticator and Supplicant,
> so deviation from the default timer values can adversely affect the operation of the protocol.
Thanks. If I find the time and patience to take this up with the vendor those will be useful.
> Where "authenticator" is the NAS.
>
> So perhaps it's the responsibility of the NAS to do retransmissions.
Hrm... maybe I'll just give it a try when usage is really low just to see what happens. Something horrible, no doubt.
>> There appears (sigh) to be no way to turn this behavior off. It also has a maximum 5 second timeout between retransmits, and though it will respond to Status-Server requests, it will not send them to upstream proxies.
> That part is at least fine: not proxying Status-Server.
What I meant was... it does not allow you to initiate Status Server probes on that proxy hop to send to the next proxy. Wouldn't expect it to forward.
Thanks again.
More information about the Freeradius-Users
mailing list