On Jun 15, 2021, at 7:16 AM, saurabha badhai <saurabha.badhai@gmail.com> wrote:
Using freeradius server set EAP_PEAP method for authentication. When try to do more authentication per second may be 600 or higher, seeing errors at radius server.
I am using freeradius version 3.0.13 to test,
Use 3.0.23. It has a lot of improvements, including better TLS messages. It's available as a CentOS7 package: https://networkradius.com/packages/
Tue Jun 15 16:37:23 2021 : ERROR: (296599) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x6e130c1e6e1215a6
The server has to track EAP messages across multiple packets. It does that via the State attribute. That message means that the server has given up on an EAP message, and deleted it as too old / too many. Then after that happened, the client sent another EAP message for that session. Try editing mods-available/eap, and setting max_sessions = 100000 or maybe a higher number. It *might* help.
Tue Jun 15 16:37:23 2021 : ERROR: (296602) eap_peap: ERROR: TLS Alert read:fatal:decode error Tue Jun 15 16:37:23 2021 : ERROR: (296602) eap_peap: ERROR: TLS_accept: Failed in SSLv3 read client key exchange A
Internal TLS / OpenSSL errors. That's out of our control. If your system can't handle 600 auths/s, then your solutions are: a) lower the number of packets hitting the server b) upgrade the server to faster CPU / memory / etc. Alan DeKok.