Issue with EAP authentication on packet loss
a.cudbardb at freeradius.org
Wed Apr 25 12:39:47 CEST 2018
> On Apr 25, 2018, at 8:45 PM, Stefan Winter <stefan.winter at RESTENA.LU> wrote:
>> We have a problem when packet loss occurs at step #4 of the EAP dialogue:
>> 1) Access-Request
>> 2) Access-Challenge
>> 3) Access-Request
>> 4) Accept or Reject (in this case: Access-Accept)
>> 5) Access-Request (duplicate)
>> 6) Reject
>> In this case, #4 is sent by the server but gets lost on its way to the
>> NAS. I've managed to reproduce using iptables dropping the packet. So
>> after some time the NAS sends packet #3 again. At that point I am
>> getting "No EAP session matching state" from the eap module in the
>> "authenticate" section and the request is rejected.
> To be fair, this is not limited to packet loss.
> We've seen this in normal operations - the story goes like:
> - server sends Access-Accept with an attribute X via a chain of proxies
> - some proxy takes offence by the presence of attribute X, discards
> - client times out and re-sends
> - server has forgotten all about the session state, rejects
> I believe the underlying issue is that FreeRADIUS thinks "fire and
> forget" when the final packet is out.
It should cache the response for the duration of cleanup_delay. If it's not, then that's a bug.
More information about the Freeradius-Users