We've freeradius as proxy server, and I see 2 problems:
1) When we receive an Access-Request from a client with incorrect
password/invalid user, freeradius proxy sends it to the final radius and
the final answer an Access-Reject very quick, but the freeradius proxy
delays the answer to the client 16 seconds.
2) When we receive an Access-Request and we send it to the final radius,
if the shared secret (shared by proxy and final) is incorrect, the final
sends a reject to the proxy and the proxy delays the same (16 seconds)
to answer the client a reject.
3) When we receive an Access-Request and we send it to the final
radius, if the proxy radius is not an allowed client in the final
radius, the final radius silently discard the packet, and with no answer
the proxy delays 31 (#!?) seconds and send a reject to the client .
Questions:
+ Is there any way to short this request time? Where can I configure
that? Is it something about this message: "Waking up in 16 seconds..."?
+ Should the final radius answer when the shared secret is incorrect or
discard silently the packet? Should the final radius answer when the
proxy is not an allowed client or discard silently the packet?
In the RFC2865 we can read (page5):
"Once the RADIUS server receives the request, it validates the sending
client. A request from a client for which the RADIUS server does not
have a shared secret MUST be silently discarded. If the client is valid,
the RADIUS server consults a database of users to find...."
Mmmm, ok, I think the final radius should also discard the packet with
an INCORRECT shared secret. Is that correct?
Thanks.
Miguel Diez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
