duplicate Identity received, freeradius behaviour?
Alan DeKok
aland at deployingradius.com
Mon May 18 17:26:40 CEST 2009
Jean F. Mousinho wrote:
> I've noticed that on our radius server logs lots of "EAP state variable
> not found", after some packet dump analysis (also -Xf) I've noticed that
> one of the cases that this happened was when some EAP Identity packets
> are duplicated during parallel authentications (I mean, when at least
> one session already began from the same client, and we're receiving
> duplicate ).
Your NAS (wireless AP) is broken. It should NOT be sending new RADIUS
packets for EAP re-transmissions.
> I've noticed that these duplicate packets come with just a little
> difference which is the Proxy-State, the duplicate packets then, in my
> opinion could be caused by some bad proxying implementation (client EAP
> Identity passing through 2 or more proxies?), or even bad load
> balancing.
The Proxy-State attribute is different, *and* the RADIUS Id is
different. Because they are two independent authentication sessions.
> Also, we did an upgrade of one of the two proxies connected to our home
> radius server and somehow noticed that the amount of EAP state errors
> was lower in the old version (1.1.7) than in the newer (2.1.3) (although
> its hard to confirm that).
>
> I've tried to compare the code from 1.1.7 and 2.1.3 and didn't come to a
> clear conclusion if its there any special treatment to duplicate proxied
> packets between 1.1.7 and 2.1.3 (while proxying).
Both versions treat *duplicate* packets identically. However, if the
packets are *not* duplicate, both treat the packets as independent
authentication sessions.
Odds are that your NAS is sending *two* RADIUS authentications. i.e.
*two* sessions for *one* user. It's broken. Throw it out, and buy one
that works.
Alan DeKok.
More information about the Freeradius-Users
mailing list