Phil Mayers wrote: > First, the FreeRADIUS duplicate detect / retransmit logic doesn't apply > because the source IP, shared secret, Proxy-State and > Message-Authenticator are all different, even though all other > attributes are identical. This is correct behaviour AFAICT from the RFCs. > > Second, because the retransmits aren't eaten by the duplicate detection, > they arrive as real packets in the server core, but are rejected because > the "State" attribute is no longer valid - this is because FR mutates > "State" on every round-trip, mixing in the EAP type/id/exchange number.
There is a solution. But it involves new code. > Does anyone have any thoughts on the matter? Absent RADIUS-over-TCP, > this seems like a really tricky one... Nah. Create a new "state tracking" module. a) runs before sending reply, and caches State -> request/reply b) runs on receiving packet, and looks for duplicate state if found, and request looks similar, send duplicate reply That would bypass all of the EAP code, and add another layer of duplicate detection after the "packets are duplicate" code. There should really also be a state tracking API in the server core. Certain modules (i.e. securid) roll their own, and it's not overly efficient. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
