On Tue, Jun 03, 2003 at 09:14:01AM -0500, Chris Parker wrote: > At 05:53 PM 6/3/2003 +0400, Alexander M. Pravking wrote: > >I discovered that our Cisco 5200 resends acct-requests (not sure about > >auth-requests) with different request identifiers, which violates > >RFC 2866. Here is sample debug output (note the id's!): > > Acct-Delay-Time has changed. It is not the same packet.
Of course, it's changed - it retransmits it because it timed out waiting the responce. But RFC 2866 says:
Identifier
The Identifier field is one octet, and aids in matching requests and replies. The RADIUS server can detect a duplicate request if it has the same client source IP address and source UDP port and Identifier within a short span of time.
Once ids are different, radiusd can't detect duplicate request and process them as they were independent.
It's not a dupe because it is different, that's the point. It is not the same set of a/v pairs that was originally sent. I don't see anything violating the RFC here.
As I said, the server processed the first request too long - more than 5 seconds. It happens sometimes, and I don't think it's too bad.
Then increase the retry timeout on the cisco so it waits longer for a response. Alternatively, fix your radius server so it doesn't take 5 *seconds* to process a request. :)
-Chris
-- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless! \ Director, Engineering | @ @ | \ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\------------------------------------------------------ \ Wholesale Internet Services - http://www.megapop.net
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
