Bug 1630684 - correct receiving of multiple RADIUS packets through RadSec by freeradius
Summary: correct receiving of multiple RADIUS packets through RadSec by freeradius
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: freeradius
Version: 7.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Alex Scheel
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-09-19 05:45 UTC by Milan Kerslager
Modified: 2019-03-06 01:05 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)
fix: correct receiving of multiple RADIUS packets through RadSec (1.75 KB, patch)
2018-09-19 05:45 UTC, Milan Kerslager
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Debian BTS 880913 None None None 2018-09-19 05:45 UTC

Description Milan Kerslager 2018-09-19 05:45:58 UTC
Created attachment 1484574 [details]
fix: correct receiving of multiple RADIUS packets through RadSec

On a site with high load with FreeRADIUS v3 there is a bug with receiving multiple packet from incoming TLS (RadSec) connection that cause the site to fail authorisations for roaming users.

The patch has been verified by multiple admins of eduroam sites and tested in 3.0.12, 3.0.14 and 3.0.15 release.

The bug has been reported upstream and accepted in 3.0.16 release:

  https://github.com/FreeRADIUS/freeradius-server/pull/2106
  https://github.com/FreeRADIUS/freeradius-server/pull/2107

There is a workaround to set lifetime to 600 sec on smaller sites:
https://github.com/CESNET/ansible-freeradius/blob/master/templates/tls.j2#L49

Also there is a bug in 3.0.17 released on Apr 2018 so using latest version is not a solution: https://github.com/FreeRADIUS/freeradius-server/issues/2270

Comment 2 Nikolai Kondrashov 2018-09-19 09:06:08 UTC
Thank you for the thorough report and explanation, Milan. We'll see if we can incorporate the fix in one of our future releases. If you're a customer, or know a customer affected by this, make sure our support is aware of the issue to speed up resolution.


Note You need to log in before you can comment on or make changes to this bug.