freeRadius fails to authenticate the users
Hi All, We are using freeRadius to authenticate 16 supplicants. The early ones get authorized but the last 3 or 4 ones get rejected corresponding the following logs in freeRadius: Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect: [user] (from client 0.0.0.0/0 port 0) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed to get handler, probably already removed, not inserting EAP-Failure ++[eap] = noop [attr_filter.access_reject] expand: %{User-Name} -> user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 26 for 1 seconds Can any one help me to tackle this problem? Thanks, Niloofar
On Aug 2, 2019, at 2:35 PM, Niloofar Toorchi <niloofar@opennetworking.org> wrote:
We are using freeRadius to authenticate 16 supplicants. The early ones get authorized but the last 3 or 4 ones get rejected corresponding the following logs in freeRadius:
Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] = invalid
That's v2. :( If it works, good. If not... please upgrade to v3. This is likely not a RADIUS issue. If the EAP session times out, it's because the supplicant is taking 30+ seconds between packets. Which is stupid.
Can any one help me to tackle this problem?
Test with v3, which has much better debugging messages. Alan DeKok.
Thanks Alan! Is there any way we can increase the 30-sec limit to say 45 seconds? Niloofar On Fri, Aug 2, 2019 at 11:44 AM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 2, 2019, at 2:35 PM, Niloofar Toorchi <niloofar@opennetworking.org> wrote:
We are using freeRadius to authenticate 16 supplicants. The early ones get authorized but the last 3 or 4 ones get rejected corresponding the following logs in freeRadius:
Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] = invalid
That's v2. :( If it works, good. If not... please upgrade to v3.
This is likely not a RADIUS issue. If the EAP session times out, it's because the supplicant is taking 30+ seconds between packets. Which is stupid.
Can any one help me to tackle this problem?
Test with v3, which has much better debugging messages.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Aug 2, 2019, at 2:55 PM, Niloofar Toorchi <niloofar@opennetworking.org> wrote:
Thanks Alan! Is there any way we can increase the 30-sec limit to say 45 seconds?
Use v3. It's configurable. But realistically, if 30s isn't enough, then 45s won't be enough, either. EAP authentication should take less than 1s. If it's taking more than that, work-arounds won't help. You really need to find the root cause of the issue, and fix it. Alan DeKok.
participants (2)
-
Alan DeKok -
Niloofar Toorchi