Help troubleshooting No EAP session matching...

Dave Aldwinckle daldwinc at uwaterloo.ca
Thu Sep 15 15:57:24 CEST 2016 

Hi List,

During periods of high load, we are seeing many messages like the following:

radiusd[28187]: rlm_eap: No EAP session matching the State variable.

I understand the meaning of the message, but I need some assistance on 
how to go about locating the source of the problem.

During peak times, we have about 8K wireless logins per minute, for 
extended periods. We have 6 wireless controllers, from which the 
Access-Requests are sent. Due to the high load, I am unable to run the 
server with -X, because it gets crushed while running single threaded. I 
can use radmin, but I'm not sure what to set the debug condition to.

I don't see any errors about child processes being hung, or 
winbind/ntlm_auth taking too long.

Some values which may be relevant:

radiusd.conf: max_request_time = 30
radiusd.conf: cleanup_delay = 5
radiusd.conf: max_requests = 8000000 #about 30K wireless users at peak * 
256 ~= 8million
radiusd.conf: start_servers = 5
radiusd.conf: max_servers = 32
radiusd.conf: min_spare_servers = 3
radiusd.conf: max_spare_servers = 10
radiusd.conf: #       max_queue_size = 65536 (unsure why this is 
commented out)

mods-enabled/eap: timer_expire = 60
mods-enabled/eap: cache = disabled

$ openssl speed rsa2048
Doing 2048 bit private rsa's for 10s: 5263 2048 bit private RSA's in 10.01s
Doing 2048 bit public rsa's for 10s: 176233 2048 bit public RSA's in 10.00s

OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon May  2 06:13:20 EDT 2016
options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) 
aes(partial) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT 
-DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 
-g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY 
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM 
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM

                   sign    verify    sign/s verify/s
rsa 2048 bits 0.001902s 0.000057s    525.8  17623.3

So, a couple questions:

1. Is there a way to get more info along with the message "rlm_eap: No 
EAP session matching the State variable." ?
     - eg. Which NAS it came from, calling-station-id, etc.

2. Are the aforementioned values OK?

Any advice would be appreciated.

Regards,
Dave

More information about the Freeradius-Users mailing list