El 11/11/13 14:45, Linus Nordberg escribió:
> Alejandro Perez Mendez <[log in to unmask]> wrote
> Fri, 8 Nov 2013 12:18:38 +0100:
>
> | Hello,
> |
> | I'm facing some problems with libradsec and retransmissions. The
> | situation is the following: as all my previous tests were driven in
> | local networks, the likelihood of losing a RADIUS packet was
> | low. However, now I'm doing my tests through the eduroam
> | infrastructure, and packet loss is a reality.
> |
> | What I have observed is that when an Access-Request RADIUS packet is
> | lost, libradsec sends a retransmission packet, but it seems to fail
> | handling the response. This results into the following situation:
> |
> | RP ---> AAA: Access-Request lost
> | RP ---> AAA: Access-Request retransmission
> | RP <--- AAA: Access-Challenge unhandled by RP
> | RP ---> AAA: Access-Request retransmission
> | RP <--- AAA: Access-Reject due to session closed
>
> The pcap file shows something similar but different:
>
> 00.00 cli -> srv Access-Request
> 00.14 srv -> cli Access-Challenge
> 00.04 cli -> srv Access-Request
> 00.14 srv -> cli Access-Challenge
> 00.04 cli -> srv Access-Request
> 01.11 srv -> cli Access-Challenge
> 00.04 cli -> srv Access-Request
> 02.07 cli -> srv Access-Request
> 00.02 srv -> cli Access-Challenge
> 06.25 cli -> srv Access-Request
> 01.16 srv -> cli Access-Reject
> 14.60 cli -> srv Access-Request
> 01.16 srv -> cli Access-Reject
I just summarized. But for me they are the same case.
00.04 cli -> srv Access-Request (LOST)
02.07 cli -> srv Access-Request (Retransmission that arrives)
00.02 srv -> cli Access-Challenge (Response to retransmission)
06.25 cli -> srv Access-Request (Second retransmission since it didn't
notice there were a response already)
01.16 srv -> cli Access-Reject (Reject as this second retransmission
related to an expired EAP session)
14.60 cli -> srv Access-Request (Third retransmission, since it didn't
even notice the Access-Reject)
01.16 srv -> cli Access-Reject (Reject as this third retransmission is
related to an expired EAP session)
> Have you verified that you indeed have packet losses, f.ex. by looking
> at traffic at the server?
Yes, I did. The packet does not arrive to the AAA server, just the first
and subsequent retransmission do.
> libradsec doesn't handle Access-Challenge at all -- it simply verifies
> the response authenticator and sends it upwards in the stack.
My impression is that it is related to the lower network operation
(socket related), not with the packet processing. Indeed, note that it
fails equally processing Challenges and Rejects. It just omit the
received packet and keeps retransmitting previous Request.
> Do we know
> that authenticating with a server that is sending Access-Challenge works
> when we don't think that we have packet loss?
>
Sorry, I did not get this question.
Thanks for your response.
Regards,
Alejandro
> | Besides, and maybe related, all the RADIUS requests coming out from
> | the RP are sent with the Identifier field set to 0.
>
> I think that's a good thing. For retransmissions, I mean.
|
