Re: Simultaneous session limits and duplicate detection

["Bernard Aboba" <bernard_aboba@hotmail.com>]

> On Thu, Mar 08, 2007 at 02:46:34PM -0800, Bernard Aboba wrote:
> > Alper Yegin said:
> > "RADIUS does not talk about 1, does not properly mandate 2a...
> > If we decide to go with 2a, we need to fix RADIUS spec. Meanwhile, can 
> we
> > assume all of the current RADIUS implementations are already supporting 
> 2a,
> > so that in the absence of 1 and 2b EAP works well?"
> >
> > [BA] Yes, I think we can assume this. Alan's proposed language will 
> mandate
> > 2a.
>
> I hit this issue in testing couple of years ago when EAP-SIM tests
> were failing if NAS re-transmitted the Access-Request quickly. In other
> words, the RADIUS server was not doing duplicate detection.. Since then,
> this particular implementation has added support for duplicate
> detection, but I believe it can be disabled in configuration and there
> has been discussion on some deployments doing that in order to avoid
> issues with large number of requests (more than 256 per the duplicate
> window of couple of seconds, i.e., more than the number of unique
> Identifiers..).

The Issues & Fixes document Section 2.1.2 talks about how a combination of 
the EAP Identifier, source IP address and State attribute can be used to 
enable each EAP session to have its own unique Identifier space.  If handled 
this way, there would not be a tradeoff between duplicate elimination and 
restrictions on the number of simultaneous sessions that can be handled.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>