Massimiliano Tarquini wrote: > We are using the same freeradius as a proxy and it works fine running onto a > different machine. > The proxy auth the outer EAP-TTLS then asks to the radius to auth the inner.
That still isn't a very clear description of the network configuration. > There is a firewall between the radius and the database (not between the > proxy and the database). May the firewall cause the problem? Yes. I've never understood why people put firewalls between critical network services. And *then* configure the firewalls to time out inactive connections. In this case, what's happening is this: - FreeRADIUS asks the Postgresql client library to open a socket to the server. - it does - 10 minutes later, the firewall decides that the TCP connection is unused, and discards all knowledge of it - FreeRADIUS receives a new request, and asks the postgresql client library to do an SQL query. - the postgresql library believes that the connection is still up, and tries to use it. - the firewall discards ALL packets for the connection - the kernel blocks all reads && writes that the postgresql client library tries to do.. - which then blocks FreeRADIUS. In short, configuring the firewall to discard sessions after 10 minutes or so of idle time is bad. *Especially* because the connections between FreeRADIUS && the DB are idle for longer than that. This is *not* a problem with FreeRADIUS. You have configured your firewall so that *it* is blocking the server. Fix your firewall, or remove it. Nothing else will solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html