RADIUS Packet Retransmission Mechanism
When a user is authenticated, a device sends an Access-Request packet to the RADIUS server. To ensure that the device can receive a response packet from the server even if a network fault or delay occurs, a retransmission upon timeout mechanism is used. The retransmission times and retransmission interval are controlled using timers.
As shown in Figure 1, 802.1X authentication and client-initiated authentication are used as an example. After receiving an EAP packet (EAP-Response/Identity) containing the user name of the client, the device encapsulates the packet into a RADIUS Access-Request packet and sends the packet to the RADIUS server. The retransmission timer is enabled at the same time. The retransmission timer is composed of the retransmission interval and retransmission times. If the device does not receive any response packet from the RADIUS server when the retransmission interval expires, it sends a RADIUS Access-Request packet again.
- The device receives a response packet from the RADIUS server. It then stops packet retransmission and marks the RADIUS server status as Up.
- The device detects that the RADIUS server status is Down. After the device marks the RADIUS server status as Down:
- If the number of retransmitted packets has reached the upper limit, the device stops packet retransmission and retains the RADIUS server status to Down.
- If the number of retransmitted packets has not reached the upper limit, the device retransmits an Access-Request packet once again to the RADIUS server. If the device receives a response packet from the server, it stops packet retransmission and restores the RADIUS server status to Up. Otherwise, it still stops packet retransmission and retains the RADIUS server status to Down.
- The number of retransmitted packets has reached the upper limit. The device then stops packet retransmission and performs the following:
- If the device receives a response packet from the RADIUS server, it marks the RADIUS server status as Up.
- If the device has detected that the RADIUS server status is Down, it marks the server status as Down.
- If the device receives no response packet from the RADIUS server and does not detect that the server status is Down, the device does not change the server status. Actually, the server does not respond.
The device does not definitely mark the status of the server that does not respond as Down. The device marks the server status as Down only if the corresponding conditions are met.
For the RADIUS server status introduction and conditions for a device to mark the server status as Down, see RADIUS Server Status Detection.
RADIUS packet retransmission discussed here applies only to a single server. If multiple servers are configured in a RADIUS server template, the overall retransmission period depends on the retransmission interval, retransmission times, RADIUS server status, number of servers, and algorithm for selecting the servers.
Command |
Description |
|---|---|
radius-server retransmit retry-times |
Specifies the retransmission times. The default value is 3. |
radius-server timeout time-value |
Specifies the retransmission interval. The default value is 5 seconds. |