Alexander Okonnikov
changed
bug 4096
Comment # 7
on bug 4096
from Alexander Okonnikov
Still unresolved in 2.1.x
Fully agree with Stipe Tolj that Request/Response Authenticator should be taken
into account. BTW, RFC 5080 provides this solution, see Section 2.2.2:
...
Cache entries MUST also be purged if the server receives a valid
Access-Request packet that matches a cached Access-Request packet in
source address, source port, RADIUS Identifier, and receiving socket,
but where the Request Authenticator field is different from the one
in the cached packet. If the request contains a Message-
Authenticator attribute, the request MUST be processed as described
in [RFC3580] Section 3.2. Packets with invalid Message-
Authenticators MUST NOT affect the cache in any way.
...
and
...
When sending requests, RADIUS clients MUST NOT reuse Identifiers for
a source IP address and source UDP port until either a valid response
has been received, or the request has timed out. Clients SHOULD
allocate Identifiers via a least-recently-used (LRU) method for a
particular source IP address and source UDP port.
...
In my case client receives valid response and then reuses Identifier and
allocates new Authenticator value for the second request. Wireshark treats the
second request as duplicate of the first, though Authenticator values are
different (Src IP, Src Port and Identifier are the same for both requests).
Note: Identifier value is reused due to high rate of requests (~100 pps).
You are receiving this mail because:
- You are watching all bug changes.