Jean F. Mousinho wrote:
I've noticed that on our radius server logs lots of "EAP state variable not found", after some packet dump analysis (also -Xf) I've noticed that one of the cases that this happened was when some EAP Identity packets are duplicated during parallel authentications (I mean, when at least one session already began from the same client, and we're receiving duplicate ).
Your NAS (wireless AP) is broken. It should NOT be sending new RADIUS packets for EAP re-transmissions.
I've noticed that these duplicate packets come with just a little difference which is the Proxy-State, the duplicate packets then, in my opinion could be caused by some bad proxying implementation (client EAP Identity passing through 2 or more proxies?), or even bad load balancing.
The Proxy-State attribute is different, *and* the RADIUS Id is different. Because they are two independent authentication sessions.
Also, we did an upgrade of one of the two proxies connected to our home radius server and somehow noticed that the amount of EAP state errors was lower in the old version (1.1.7) than in the newer (2.1.3) (although its hard to confirm that).
I've tried to compare the code from 1.1.7 and 2.1.3 and didn't come to a clear conclusion if its there any special treatment to duplicate proxied packets between 1.1.7 and 2.1.3 (while proxying).
Both versions treat *duplicate* packets identically. However, if the packets are *not* duplicate, both treat the packets as independent authentication sessions. Odds are that your NAS is sending *two* RADIUS authentications. i.e. *two* sessions for *one* user. It's broken. Throw it out, and buy one that works. Alan DeKok.