[RADIATOR] Possible internal race condition leading to 'duplicate' packets and 'unknown reply' messages?

Thu Feb 20 11:21:05 UTC 2020

On 19.2.2020 0.49, Stefan Paetow wrote:

> So I've switched on the GlobalMessageLog for RadSec (with a hook for
> the other end's IP) and turns out in our log that our NoReplyHook
> code fires as appropriate, but because it doesn't include a
> Proxy-State, it then cannot be matched to the appropriate request
> packet on the downstream (and they see a 'AuthRADSEC Could not get
> extended identifier: No Proxy-State attribute found in reply'
> message, which prompted the question. In *our* log, we then see
> *another* RADIUS packet, with the same Identifier as the packet
> created by the NoReplyHook, being fired back to the downstream, this
> time *with* a Proxy-State that matches the incoming packet.

Thanks for the logs and the detailed look at this. Did you have AuthBy 
HANDLER configured for directly picking up the right Handler for 
proxying? I think I may have seen a part of your configuration but I do 
not recall the details and it of course may have changed since that.

What I'm thinking of is that having two Handlers + a hook to generate 
rejects may be causing the duplicates.

Also, Stefan noted that so far there have been no complaints. I think 
what happens is that the first reject without Proxy-State simply gets 
discarded by the receiver. This allows the other reject to be processed 
normally.

Stefan, do you think you could send us your configuration. There's no 
need to include secrets, passwords and similar and if there are parts 
that simply repeat what already exists, you can leave those out. What 
I'm interested in is the structure of configuration and how Hooks etc. 
are used. You can send it to us directly.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.