rlm_eap problem after upgrade from 2.1.12 to 2.2.5 via radsecproxy
Hello community, my setup are two boxes with Freeradius and radsecproxy 1.6.5 in an eduroam environment. after upgrading from 2.1.12 to 2.2.5 without any configuration changes I register an enormous (times 31 (562:17678 per day)) amount of error messages: "rlm_eap: No EAP session matching the State variable." The following "Login incorrect:" is mainly from the radsecproxy nas clients. Users from the remote locations brought me to the Problem since they are authenticated OK and just seconds later the above error results in a "Login incorrect". These users are filling my logs with wavelike loglines (OK, incorrect, OK, incorrect). On the other hand not all remote users are affected. The users who stated to have to problem were all within the international eduroam community (not national), but this is just a guess. I do not understand why the eap state variable could be mixed up by a Software Upgrade to a "stable" version, so it looks to me that the problem resides within the freeradius programming. At the moment I do not fully understand all code differences between the two versions. I downgraded to 2.1.12 again to keep my users online, but the problem should be solved. Any ideas to debug the problem are welcome. Does anyone see similar problems with 2.2.5? Thanks for any help, Thomas Böttcher
Thomas Boettcher wrote:
my setup are two boxes with Freeradius and radsecproxy 1.6.5 in an eduroam environment.
after upgrading from 2.1.12 to 2.2.5 without any configuration changes I register an enormous (times 31 (562:17678 per day)) amount of error messages: "rlm_eap: No EAP session matching the State variable."
That's generally a proxy problem. The client transmits a packet through proxy A, and retransmits the same packet through proxy B.
Users from the remote locations brought me to the Problem since they are authenticated OK and just seconds later the above error results in a "Login incorrect".
No. If they're authenticated OK, then they're authenticated. There is no way to remotely fail an authentication which previously succeeded.
I do not understand why the eap state variable could be mixed up by a Software Upgrade to a "stable" version, so it looks to me that the problem resides within the freeradius programming. At the moment I do not fully understand all code differences between the two versions.
There are a LOT of differences between the two versions. But nothing (to my knowledge) that would create this problem.
Any ideas to debug the problem are welcome.
Run the server in debugging mode.
Does anyone see similar problems with 2.2.5?
I don't think so. Alan DeKok.
Hi Alan, thanks for your answer. On 02.09.2014 18:13, Alan DeKok wrote:
Thomas Boettcher wrote:
after upgrading from 2.1.12 to 2.2.5 without any configuration changes I register an enormous (times 31 (562:17678 per day)) amount of error messages: "rlm_eap: No EAP session matching the State variable."
That's generally a proxy problem. The client transmits a packet through proxy A, and retransmits the same packet through proxy B.
what me concerns is, that the problem occurs, when MY freeradius is upgraded. So it looks to me that the software is handling something within the eap more strictly.
Users from the remote locations brought me to the Problem since they are authenticated OK and just seconds later the above error results in a "Login incorrect".
No. If they're authenticated OK, then they're authenticated. There is no way to remotely fail an authentication which previously succeeded.
I analysed my logs and picked some users with high amounts of Login problems. Running in 2.1.12 there is also a high amount of Logins for this user at the remote site. The only difference is, that they all are accepted. In 2.2.5 I get this: 2 Login OK (outer and inner Tunnel) 5-10 secs later: rlm_eap State variable error with Login incorrect. This repeats mostly every 30 seconds. Leads me to the assumption, that the remote NAS is doing Login requests very ofter (maybe WLAN coverage holes or many autonomous APs).
Run the server in debugging mode.
I will get back, wenn set up a fresh radius server for debugging purpose. Thomas
Thomas Boettcher wrote:
what me concerns is, that the problem occurs, when MY freeradius is upgraded. So it looks to me that the software is handling something within the eap more strictly.
That could be true. It could also be true that the SSL interactions are different. Windows is *very* picky about SSL in EAP.
I analysed my logs and picked some users with high amounts of Login problems. Running in 2.1.12 there is also a high amount of Logins for this user at the remote site. The only difference is, that they all are accepted. In 2.2.5 I get this: 2 Login OK (outer and inner Tunnel) 5-10 secs later: rlm_eap State variable error with Login incorrect. This repeats mostly every 30 seconds.
That's a problem. The user shouldn't be authenticating every 30s.
Leads me to the assumption, that the remote NAS is doing Login requests very ofter (maybe WLAN coverage holes or many autonomous APs).
Which can lead to network problems. Alan DeKok.
We have alike issues in 2.2.5 where the EAP proxying at some point (usually 2-3months uptime) just stops working without any error messages in the log. A reload of freeradius process makes it work again. We are not using status-messages to verify server availability On Wed, Sep 3, 2014 at 4:06 PM, Alan DeKok <aland@deployingradius.com> wrote:
Thomas Boettcher wrote:
what me concerns is, that the problem occurs, when MY freeradius is upgraded. So it looks to me that the software is handling something within the eap more strictly.
That could be true. It could also be true that the SSL interactions are different. Windows is *very* picky about SSL in EAP.
I analysed my logs and picked some users with high amounts of Login problems. Running in 2.1.12 there is also a high amount of Logins for this user at the remote site. The only difference is, that they all are accepted. In 2.2.5 I get this: 2 Login OK (outer and inner Tunnel) 5-10 secs later: rlm_eap State variable error with Login incorrect. This repeats mostly every 30 seconds.
That's a problem. The user shouldn't be authenticating every 30s.
Leads me to the assumption, that the remote NAS is doing Login requests very ofter (maybe WLAN coverage holes or many autonomous APs).
Which can lead to network problems.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Jonathan -
Thomas Boettcher