I’m having some problems with RADIUS accounting packets going missing on heavily loaded connections. RouterOS appears to only allow UDP connections to the RADIUS server, am I missing something or is there some hidden configuration somewhere to specify TCP? If I block UDP at the Server, will MikroTik RADIUS Client try to connect on UDP and then auto-retry via TCP?
Regards
Chris Macneill
RADIUS is UDP only as a conscious design choice.
The RFC allows use of TCP, so surely the choice of protocol should be the user’s? I have a problem, as currently implemented MikroTik RADIUS Client is unstable, if TCP were available I could at least test whether using it would solve my problem.
I’m left with two choices, either live with something that has intermittent problems or replace MikroTik routers at affected sites with something more generic that correctly implements the RFCs and gives me the choice.
Can MikroTik not give us the choice whether to use TCP or UDP, this would seem a very simple change to make to software that performs pretty well under most circumstances, more stable in marginal conditions? Anyone can make devices work in ideal conditions, what separates the great hardware from the average is when it performs equally (or almost so) under adverse conditions.
Regards
Chris Macneill
There is an IETF draft out there to extend RADIUS to run over TCP, but that is nothing but a draft that expired earlier this year and didn’t go anywhere. RFC2865 (which is what RouterOS and most every other vendor supports and implements) explicitly defines RADIUS to run over UDP. Section 2.4 explicitly explains why that choice was made.
If you have any information to the contrary I’d be very interested in some links.
OK, thanks for clarifying that. I read the RFCs about 10 years ago, but didn’t recall anything about TCP being “draft” status! I had assumed that since in all Linux systems TCP and UDP is defined in /etc/services for RADIUS authentication and accounting that these were “standard” from initial implementation of RADIUS.
Regards
Chris Macneill
Does anybody know if Mikrotik now supports Radius over TCP as per IETF RFC6613 (https://tools.ietf.org/html/rfc6613) please?