Indeterministic EAP error
Matthew Newton
mcn4 at leicester.ac.uk
Thu Oct 4 23:52:29 CEST 2012
On Thu, Oct 04, 2012 at 05:45:30PM +0200, Matthias Nagel wrote:
> WARNING: !! EAP session for state 0xABCDEFGHIJKLMNOP did not finish!
...
> Has anybody an idea what the reason might be?
We see it a lot less since we tweaked the EAP timers on our Cisco
Wireless Controller. You don't say what APs or system you're
using, but for example if it's the Cisco WLCs see
https://supportforums.cisco.com/docs/DOC-12110
The issue would go /something/ like (I forget the precise details):
User clicks connect
(*) Types in username and password slowly
EAP Identity Request would time out (20s or so)
EAP session would get closed - client & controller would give up -
error above
User clicks login
EAP session starts again
either a) EAP completes and client connects
or b) client realises that their EAP session got broken, and
prompts the user for their password again - go back to '*'.
Then... after after a couple of times, the controller might figure
that the client has done some bad authentications, and ban them
for a minute or so.
We tweaked the timers to make the Identity Request time + max
retries longer, and disabled the automatic banning of clients from
invalid authentications. Generally now the only time we see that
error is if we restart FreeRADIUS (in which case, EAP sessions in
transit get broken, so it's the sort of thing I expect).
You still sometimes see it if a client is on the edge of a radio
cell, and moves out of range whilst connecting, for example, but
it's nothing like as often as it used to be.
In short, it's a client/NAS issue, as already stated.
Hope that helps,
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list