[RADIATOR] duplicate EAP Responses
Heikki Vatiainen
hvn at open.com.au
Mon Nov 23 09:26:42 CST 2015
On 19.11.2015 3.08, David Zych wrote:
> Side note regarding the code branch of EAP_21 and EAP_25 which
> generates that "Nothing to read or write" message: even if a peer is
> behaving weirdly, is it really ever a good idea to deliberately not
> reply to an EAP Response? The NAS is still waiting for a RADIUS
> reply, and not sending one gives the impression that Radiator simply
> dropped the RADIUS Access-Request (which is precisely the symptom
> that led me down this rabbit hole).
You can change this with 'EAPErrorReject' flag in the AuthBy. This
changes the error behaviour so that a REJECT is sent instead of ignoring
the request. It does sound that a reject is a better way to respond.
We'll check this.
> And finally, tangential question #3: is EAPTTLS_NoAckRequired still
> useful/necessary in practice today? I inherited a Radiator
> configuration written years ago which included this, and never
> thought to change it, but it seems to create an extra code condition
> under which we might end up IGNOREing a RADIUS Access-Request.
No, I do not think it is required anymore. The configurations I have
done do not have this option enabled (and it's not on by default) and I
have not seen any problems related to this.
That comes to the main topic, thanks for the extensive debugging and the
logs you have gathered. We'll check the duplicate handling too and I
will get back to you, and the list, when I have something to report.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list