cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1072
Views
0
Helpful
6
Replies

Source port for Radius requests

B.Smeets
Level 1
Level 1

Our controllers use the default UDP source port 32769 for outgoing Radius requests.

According to the RFC, there can be no more than 256 different IDs for these requests. It has turned out that, in peak times, there are more than 256 outstanding requests, resulting in our Radius servers discarding some requests as supposed duplicates, because they have the same ID.

One solution would be to use a different source port for each request, or at least more than one for all requests. Is this possible?

6 Replies 6

Scott Fella
Hall of Fame
Hall of Fame

Need more info... What controllers and what radius server? What code version also?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Controllers are 5508, two active and two HA-standby.

Code version is 7.4.100.60.

Radius servers are Radiator version 4.10.

I don't know that radius server.  Do you know if there is a limitation on the radius server as to how many simultaneous connections it can process?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Jacob Snyder
Level 5
Level 5

I don't know that you can configure the source port on the WLC.

Option 1: You could look at changing the radius timeout on the radius server so you aren't keeping radius sessions open as long.  This might be a feasible option, but might not be present in all radius servers, it also might have undesired consequences.

Per the RFC:

Identifier

      The Identifier field is one octet, and aids in matching requests
      and replies.  The RADIUS server can detect a duplicate request if
      it has the same client source IP address and source UDP port and
      Identifier within a short span of time.

Option 2:  (Probably my preferred option)

Well, I don't think we can diversify the port number, but we can diversify the source IP.  Assuming you have these clients on more than one dynamic interface, you could enable the option on the WLAN for the "RADIUS server interface override." Which would alter the source IP address from the Management interface to the dynamic interface the clients are on.  You would have to have more than 1 dynamic interface to put clients on to make it happen, and you would have add all of the dynamic interfaces you wanted to leverage this technique with to the RADIUS server as clients, but this complies with the RFC.

This isn't a problem I have run into, but hopefully this will be something that is doable in your environment.  I would hope that all 250 clients in that short of a period of time aren't all on the same dynamic interface.

The answer to my original question (Can we diversify the Radius source port?) seems to be No, so we'll try other things:

We'll use differeent Radius servers for ech controller.

On option 1: yes, we are tuning the RFC's 'short span of time' down to as low as possible, but carefully since we don't know yet what other effects to expect.

Op option 2: this is one of the things we also intend to do (we have a lot of interfaces), but there is one more question: does this work if we assign an interface *group* to an SSID?

Jacob Snyder
Level 5
Level 5

I believe that it will pick the dynamic interface the client will hash into to send the request from, but I haven't tested this.

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: