# initial_rtx_time:: If there is no response within this time,
# the module will retransmit the packet.
#
- # Value should be `1..5`.
+ # Value should be `1..120`.
#
initial_rtx_time = 2
#
# max_rtx_time:: The maximum time between retransmissions.
#
- # Value should be `5..30`
+ # Value should be `5..120`
#
max_rtx_time = 16
# max_rtx_count:: How many times the module will send the packet
# before giving up.
#
- # Value should be `1..20` _(0 == retransmit forever)_
+ # Value should be `1..10` _(0 == retransmit forever)_
#
max_rtx_count = 2
# max_rtx_duration:: The total length of time the module will
# try to retransmit the packet.
#
- # Value should be `5..60`
+ # Value should be `5..240`
#
- max_rtx_duration = 30
+ max_rtx_duration = 5
}
#
# max_rtx_count = 0
#
Accounting-Request {
+ #
+ # initial_rtx_time:: If there is no response within this time,
+ # the module will retransmit the packet.
+ #
+ # Value should be `1..3`.
+ #
initial_rtx_time = 2
+
+ #
+ # max_rtx_time:: The maximum time between retransmissions.
+ #
+ # Value should be `5..30`
+ #
max_rtx_time = 16
+
+ #
+ # max_rtx_count:: How many times the module will send the packet
+ # before giving up.
+ #
+ # Value should be `1..10` _(0 == retransmit forever)_
+ #
max_rtx_count = 5
+
+ #
+ # max_rtx_duration:: The total length of time the module will
+ # try to retransmit the packet.
+ #
+ # Value should be `5..30`
+ #
max_rtx_duration = 30
}
FR_INTEGER_BOUND_CHECK("Access-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrc, >=, 1);
FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrd, >=, fr_time_delta_from_sec(5));
- FR_TIME_DELTA_BOUND_CHECK("Access-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].irt, <=, fr_time_delta_from_sec(3));
- FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrt, <=, fr_time_delta_from_sec(30));
+ /*
+ * initial and max rtx times are significantly
+ * higher for authentication packets, because
+ * in some cases we're proxying to another RADIUS
+ * which is performing MFA on our behalf and waiting
+ * for user input.
+ *
+ * We can afford to wait this long because the
+ * module is fully async, and the requests will
+ * sleep until they're work up.
+ */
+ FR_TIME_DELTA_BOUND_CHECK("Access-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].irt, <=, fr_time_delta_from_sec(120));
+ FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrt, <=, fr_time_delta_from_sec(120));
FR_INTEGER_BOUND_CHECK("Access-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrc, <=, 10);
- FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrd, <=, fr_time_delta_from_sec(30));
+ FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrd, <=, fr_time_delta_from_sec(240));
}
/*
projects / thirdparty / freeradius-server.git / commitdiff
