Authentication Retransmission Algorithm

Two retransmission algorithms are used in combination: Back-off Round Robin, and simple Round Robin. The focus of this retransmission algorithm is to provide for server redundancy.
Note

Note

The reason for using a combination of back-off and round-robin rather than the standard back-off algorithm where all configured transmissions occur to server 1 before transmitting to server 2 is to allow for more than one server to be tried prior to 802.1x timeout when EAP authentication is occurring.
The standard algorithm is as described in Authentication Retransmission Algorithm for a Single RADIUS Transaction (No Servers Responding 1) and is a combination of back-off and round-robin. This algorithm always uses the highest priority server first regardless of past transaction history. If the highest priority server can handle the entire load all, transactions will go to that server. Consider three RADIUS servers – 1, 2 and 3 with the configurable number of retries set to 2:
Click to expand in new window
Authentication Retransmission Algorithm for a Single RADIUS Transaction (No Servers Responding 1)

This figure shows the entire retransmission algorithm for a single RADIUS transaction if none of the servers were to respond. No more transmissions will occur for this transaction if a response is received by the RADIUS client software within the configurable timeout period.

The round-robin retransmission algorithm is depicted in Authentication Retransmission Algorithm for a Single RADIUS Transaction (No Servers Responding 2) and is simply round-robin.

The configurable round-robin retransmission algorithm for RADIUS authentication aims to spread the load among all the configured servers. In large-scale deployments with high rates of authentication this algorithm will provide for better performance than the default algorithm. The initial transmission for each potential authentication will go to the next server in the list. If 999 sessions were to be authenticated across three servers and no timeouts were to occur, then 333 responses would be sent to each server.

Consider three RADIUS servers: 1, 2 and 3 with the configurable number of retries set to 2 and where the prior session sent its initial request to server 1:

Click to expand in new window
Authentication Retransmission Algorithm for a Single RADIUS Transaction (No Servers Responding 2)

This figure shows the entire retransmission algorithm for a single RADIUS transaction if none of the servers were to respond. No more transmissions will occur for this transaction if a response is received by the RADIUS client software within the configurable timeout period. All servers are considered the same priority when using this transmission algorithm with each server taking its turn receiving the initial transmission.