09-10-2013 12:36 AM - edited 07-04-2021 12:48 AM
Our controllers use the default UDP source port 32769 for outgoing Radius requests.
According to the RFC, there can be no more than 256 different IDs for these requests. It has turned out that, in peak times, there are more than 256 outstanding requests, resulting in our Radius servers discarding some requests as supposed duplicates, because they have the same ID.
One solution would be to use a different source port for each request, or at least more than one for all requests. Is this possible?
09-10-2013 04:13 AM
Need more info... What controllers and what radius server? What code version also?
Sent from Cisco Technical Support iPhone App
09-10-2013 04:54 AM
Controllers are 5508, two active and two HA-standby.
Code version is 7.4.100.60.
Radius servers are Radiator version 4.10.
09-10-2013 07:44 AM
I don't know that radius server. Do you know if there is a limitation on the radius server as to how many simultaneous connections it can process?
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
09-10-2013 08:04 PM
I don't know that you can configure the source port on the WLC.
Option 1: You could look at changing the radius timeout on the radius server so you aren't keeping radius sessions open as long. This might be a feasible option, but might not be present in all radius servers, it also might have undesired consequences.
Per the RFC:
Identifier The Identifier field is one octet, and aids in matching requests and replies. The RADIUS server can detect a duplicate request if it has the same client source IP address and source UDP port and Identifier within a short span of time.
Option 2: (Probably my preferred option)
Well, I don't think we can diversify the port number, but we can diversify the source IP. Assuming you have these clients on more than one dynamic interface, you could enable the option on the WLAN for the "RADIUS server interface override." Which would alter the source IP address from the Management interface to the dynamic interface the clients are on. You would have to have more than 1 dynamic interface to put clients on to make it happen, and you would have add all of the dynamic interfaces you wanted to leverage this technique with to the RADIUS server as clients, but this complies with the RFC.
This isn't a problem I have run into, but hopefully this will be something that is doable in your environment. I would hope that all 250 clients in that short of a period of time aren't all on the same dynamic interface.
09-12-2013 06:24 AM
The answer to my original question (Can we diversify the Radius source port?) seems to be No, so we'll try other things:
We'll use differeent Radius servers for ech controller.
On option 1: yes, we are tuning the RFC's 'short span of time' down to as low as possible, but carefully since we don't know yet what other effects to expect.
Op option 2: this is one of the things we also intend to do (we have a lot of interfaces), but there is one more question: does this work if we assign an interface *group* to an SSID?
09-12-2013 06:42 AM
I believe that it will pick the dynamic interface the client will hash into to send the request from, but I haven't tested this.
Sent from Cisco Technical Support iPhone App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: