[RADIATOR] Duplicate request issues
Heikki Vatiainen
hvn at open.com.au
Thu Nov 27 07:59:10 CST 2014
On 27.11.2014 14.03, Patrik Forsberg wrote:
> I see.. I have a cause for the duplicates I think.
> It seems like the configuration I'm using is never sending a reject back to the "external" proxys and I'm guessing that causes them to try again until they timeout the request ?
Thanks for the update. Yes, this can escalate back to the request
originator, for example WLAN controller, which may then switch to
another RADIUS server because it is getting no reponses from its current
RADIUS server.
> It seems like if I add a Authby internal with a default reply of reject this causes most of my duplicates to vanish..
Yes, this is a good idea. If the same happens to accounting requests,
you can ignore them otherwise but use AuthBy INTERNAL to generate an
accounting response. This is also to keep the other server and the NAS
from retransmitting or switching servers.
> I'm using a AuthBy Group that has ContinueUntilAccept set and even when a user gets rejected it simply continues.. which would be the natural thing with ContinueUntilAccept but this also causes the rejected login to become "ignored" in the end..
> So an internal authby with default reject should remedy this I guess..
Yes. I recommend a default handler (simply <Handler> as the last Handler
in the configuration file), which rejects all authentication requests
and accepts accounting requests. It's not possible to reject
authentication, so they should be just accepted.
It might also be a good idea to have an AuthLog and/or AcctLogFileName
in the default Handler when all requests should be handled by the other
Handlers. This helps to see if there are any configuration mistakes that
cause requests to miss the other Handlers.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list