FreeRADIUS InkBridge

Unexpected Request Code

This error occurs when the RADIUS client and server do not have a common configuration. Each listen section specifies which RADIUS requests that the server accepts. If a client sends a request which is not listed in the listen section configuration, the server will reject it and show an "Unexpected Request Code" error.

A key aspect of the RADIUS protocol is that it does not have any way to negotiation capabilities between the client and server. This is different from many other protocols. For example, HTTP allows a client to send an OPTIONS request to check a server’s capabilities. In contrast, a RADIUS client cannot discover which packet types a server will accept. This means that an administrator has to manually update the configuration if there’s a mismatch.

To fix an Unexpected Request Code error, you have two options. First, reconfigure the client to send only the packet types that the server expects. This may involve updating the client’s software or adjusting its configuration files. This ensures the client works within the limits set by the server’s listen section.

You can also change the server’s listen section to list the packet types sent by the client. See the individual listen section for how this is done.

Invalid Packets

RADIUS packets have a long list of requirements that they have to meet in order to be accepted by the server. These requirements include (but are not limited to):

  • the packet must be at least 20 bytes long

  • the packet can’t be too large (more than 4096 bytes)

  • the Code field must be valid (e.g. contain Access-Request, Accounting Request, etc.)

  • The Length field must have a good value (not too small, not too large)

  • The attributes must be well-formed

  • the attribute number must be value

  • the attribute length field must have a good value (not too small, not too large)

If the packet fails any one of these checks, it is invalid, and the server discards it. The server also produces an error in debug mode. That error describes the specific reason why the packet was discarded.

Whatever the reason or error message, the underlying cause is the same. Some system is sending packets to the server which aren’t valid RADIUS. The solution to the problem is to take one of the following actions, or all of them:

  1. Fix the other system to stop sending non-RADIUS packets to the server

  2. Add a firewall or rules to block traffic from that system at the OS layer, so that FreeRADIUS never sees that traffic.

The exact steps to take for either action depends on third-party software, and as such is not documented here.

For more information, see the network security page.