EAP-TLS Failed in handler question

PENZ Robert ROBERT.PENZ at TIROL.GV.AT
Mon Nov 19 09:23:05 CET 2012 

Hi!

I've 802.1x (EAP-TLS) on a wired network activated, and it works 99% of the time ... just some authentications fail, but some minutes later the same client authenticates without a problem. As it happens only once every few days and always with a new client I cannot put a sniffer between the PC and switch, as I don't know which client is the next. But I enabled the debug logging on the freeradius server. The Clients are Windows 7 PCs and I'm running freeradius2-2.1.12-3.el5 on RHEL5.

My first question is, how can I decode a EAP-Message from the debug log to check if the request is itself ok. Here is first packet from this client in some time, and it already generates the error. But the same client worked before and after it for days without a problem:

rad_recv: Access-Request packet from host 10.xxx.xxx.4 port 44519, id=151, length=244
        User-Name = "host/xxxxxxxxxxxxx.tirol.local"
        EAP-Message = 0x02ff00690d800000005f160301005a01000056030150a6115ee4ca2d9456a7fa7edad2fb1c7b221fc747eb78eb4d789ff077c48ef8000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100
        NAS-IP-Address = 10.xxx.xxx.4
        Service-Type = Login-User
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
        NAS-Port-Id = "2:3"
        NAS-Port = 2003
        NAS-Port-Type = Ethernet
        State = 0x8df2b5f98df2b8eb6e43e372671f4335
        Message-Authenticator = 0x6822006f5e7cf03d00a08b04869d19d8

and the relevant other log lines:

++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++- entering else else {...}
[eap] EAP packet type response id 255 length 105
[eap] No EAP Start, assuming it's an on-going EAP conversation
+++[eap] returns updated
++- else else returns updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group EAP {...}
rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
[eap] Failed in handler
++[eap] returns invalid

Invalid means I return a reject ... should I return something else?  Is this a client problem or a misconfiguration on my part? Thx for your help!


Mit freundlichen Grüßen
Robert Penz

--------------------------------------------------------------
Dipl.Inf. Robert Penz
DVT - Daten-Verarbeitung-Tirol GmbH
Adamgasse 22, 6020 Innsbruck
Tel: +43 (0)512 508 3334 / Fax: +43 (0)512 508 3355
E-Mail: robert.penz at tirol.gv.at

More information about the Freeradius-Users mailing list