too many "No EAP session matching state 0x…" with FR 3.0.x
Hi! After running FR 3.0.3 from GIT (FR 3.0.2 as well) for a while (a few hours) lots of “Error: rlm_eap (EAP): No EAP session matching state 0x…” appear in the log file. A restart of FR and the error messages are gone for the present. These requests come from RADIUS over TLS (radsec) clients explained in /etc/freeradius/sites-available/tls Is this a bug or a misconfiguration? Best wishes Michael Fri Jun 13 09:30:53 2014 : Auth: (10040) Login incorrect: [userxy@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 13 cli 58-55-ca-f8-50-67) Fri Jun 13 09:30:53 2014 : Error: rlm_eap (EAP): No EAP session matching state 0x7c19d06a7714c91d Fri Jun 13 09:30:59 2014 : Error: rlm_eap (EAP): No EAP session matching state 0x7c19d06a7714c91d Fri Jun 13 09:30:59 2014 : Auth: (10041) Login incorrect: [userxy@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 13 cli 58-55-ca-f8-50-67) Fri Jun 13 09:30:59 2014 : Error: rlm_eap (EAP): No EAP session matching state 0x7c19d06a7714c91d Fri Jun 13 09:31:20 2014 : Error: rlm_eap (EAP): No EAP session matching state 0x6d7d7a2a6d6d63c6 Fri Jun 13 09:31:20 2014 : Auth: (10045) Login incorrect: [userxy@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 13 cli 58-55-ca-f8-50-67) Fri Jun 13 09:31:20 2014 : Error: rlm_eap (EAP): No EAP session matching state 0x6d7d7a2a6d6d63c6 Fri Jun 13 09:31:27 2014 : Error: rlm_eap (EAP): No EAP session matching state 0x6d7d7a2a6d6d63c6 Fri Jun 13 09:31:27 2014 : Auth: (10047) Login incorrect: [userxy@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 13 cli 58-55-ca-f8-50-67) Fri Jun 13 09:31:27 2014 : Error: rlm_eap (EAP): No EAP session matching state 0x6d7d7a2a6d6d63c6 Fri Jun 13 09:31:37 2014 : Auth: (10098) Login OK: [userxb@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 90-72-40-dd-6a-cc via TLS tunnel) Fri Jun 13 09:31:37 2014 : Auth: (10099) Login OK: [userxy@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 13 cli 58-55-ca-f8-50-67 via TLS tunnel) Fri Jun 13 09:31:37 2014 : Auth: (10100) Login OK: [userxb@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 90-72-40-dd-6a-cc) Fri Jun 13 09:31:38 2014 : Auth: (10101) Login OK: [userxy@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 13 cli 58-55-ca-f8-50-67) Fri Jun 13 09:32:18 2014 : Auth: (10152) Login OK: [userxy@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 13 cli 58-55-ca-f8-50-67 via TLS tunnel) Fri Jun 13 09:32:18 2014 : Auth: (10154) Login OK: [userxy@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 13 cli 58-55-ca-f8-50-67) Fri Jun 13 09:32:28 2014 : Error: rlm_eap (EAP): No EAP session matching state 0x31cdab6e35cbb2ff Fri Jun 13 09:32:28 2014 : Auth: (10170) Login incorrect: [userxb@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 90-72-40-dd-6a-cc) Fri Jun 13 09:32:28 2014 : Error: rlm_eap (EAP): No EAP session matching state 0x31cdab6e35cbb2ff Fri Jun 13 09:32:40 2014 : Error: rlm_eap (EAP): No EAP session matching state 0xead9ddeceadbc462 Fri Jun 13 09:32:40 2014 : Auth: (10203) Login incorrect: [userxb@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 90-72-40-dd-6a-cc) Fri Jun 13 09:32:40 2014 : Error: rlm_eap (EAP): No EAP session matching state 0xead9ddeceadbc462 Fri Jun 13 09:32:50 2014 : Error: rlm_eap (EAP): No EAP session matching state 0xead9ddeceadbc462 Fri Jun 13 09:32:50 2014 : Auth: (10207) Login incorrect: [userxb@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 90-72-40-dd-6a-cc) Fri Jun 13 09:32:50 2014 : Error: rlm_eap (EAP): No EAP session matching state 0xead9ddeceadbc462 Fri Jun 13 09:32:53 2014 : Error: rlm_eap (EAP): No EAP session matching state 0xead9ddeceadbc462 Fri Jun 13 09:32:53 2014 : Auth: (10208) Login incorrect: [userxb@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 90-72-40-dd-6a-cc) Fri Jun 13 09:32:53 2014 : Error: rlm_eap (EAP): No EAP session matching state 0xead9ddeceadbc462 Fri Jun 13 09:36:25 2014 : Auth: (10471) Login OK: [userxz@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 132 cli 68-A8-6D-0E-E4-CE via TLS tunnel) Fri Jun 13 09:36:25 2014 : Auth: (10472) Login OK: [user128@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 14088 cli 84-7A-88-75-92-4E via TLS tunnel) Fri Jun 13 09:36:25 2014 : Auth: (10473) Login OK: [userxz@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 132 cli 68-A8-6D-0E-E4-CE) Fri Jun 13 09:36:27 2014 : Auth: (10474) Login OK: [user128@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 14088 cli 84-7A-88-75-92-4E) Fri Jun 13 09:40:45 2014 : Error: rlm_eap (EAP): No EAP session matching state 0x2acecbf92accd2dc Fri Jun 13 09:40:45 2014 : Auth: (10853) Login incorrect: [user207@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 13 cli 84-fc-fe-c5-17-ab) Fri Jun 13 09:40:45 2014 : Error: rlm_eap (EAP): No EAP session matching state 0x2acecbf92accd2dc Fri Jun 13 09:40:48 2014 : Auth: (10876) Login OK: [user207@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 13 cli 84-fc-fe-c5-17-ab via TLS tunnel) Fri Jun 13 09:40:48 2014 : Auth: (10877) Login OK: [user810@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 0 via TLS tunnel) Fri Jun 13 09:40:48 2014 : Auth: (10878) Login OK: [user207@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 13 cli 84-fc-fe-c5-17-ab) Fri Jun 13 09:41:08 2014 : Auth: (10913) Login OK: [user810@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 0 via TLS tunnel) Fri Jun 13 09:41:08 2014 : Auth: (10914) Login OK: [user810@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 0) Fri Jun 13 09:41:14 2014 : Auth: (10927) Login OK: [user810@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 0) Fri Jun 13 09:43:05 2014 : Auth: (11158) Login OK: [user810@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 0 via TLS tunnel) Fri Jun 13 09:43:05 2014 : Auth: (11159) Login OK: [user810@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 0) Fri Jun 13 09:43:25 2014 : Auth: (11213) Login OK: [user810@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 0 via TLS tunnel) Fri Jun 13 09:43:25 2014 : Auth: (11214) Login OK: [user810@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 0) Fri Jun 13 09:44:41 2014 : Error: rlm_eap (EAP): No EAP session matching state 0xc147e16bc145f804 Fri Jun 13 09:44:41 2014 : Auth: (11385) Login incorrect: [user207@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 13 cli 84-fc-fe-c5-17-ab) Fri Jun 13 09:44:41 2014 : Error: rlm_eap (EAP): No EAP session matching state 0xc147e16bc145f804 Fri Jun 13 09:44:46 2014 : Auth: (11422) Login OK: [user207@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 13 cli 84-fc-fe-c5-17-ab via TLS tunnel) Fri Jun 13 09:44:46 2014 : Auth: (11423) Login OK: [user729@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 1c-4b-d6-f7-b8-0c via TLS tunnel) Fri Jun 13 09:44:46 2014 : Auth: (11424) Login OK: [user207@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 13 cli 84-fc-fe-c5-17-ab) Fri Jun 13 09:44:56 2014 : Auth: (11445) Login OK: [user729@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 1c-4b-d6-f7-b8-0c) Fri Jun 13 09:45:17 2014 : Error: rlm_eap (EAP): No EAP session matching state 0x77b7713e7ca66843 Fri Jun 13 09:45:17 2014 : Auth: (11503) Login incorrect: [user729@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 1c-4b-d6-f7-b8-0c) Fri Jun 13 09:45:17 2014 : Error: rlm_eap (EAP): No EAP session matching state 0x77b7713e7ca66843 Fri Jun 13 09:45:21 2014 : Auth: (11537) Login OK: [user207@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 13 cli 84-fc-fe-c5-17-ab via TLS tunnel) Fri Jun 13 09:45:21 2014 : Auth: (11538) Login OK: [user729@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 1c-4b-d6-f7-b8-0c via TLS tunnel) Fri Jun 13 09:45:21 2014 : Auth: (11539) Login OK: [user207@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 13 cli 84-fc-fe-c5-17-ab) Fri Jun 13 09:45:31 2014 : Auth: (11570) Login OK: [user729@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 1c-4b-d6-f7-b8-0c) Fri Jun 13 09:45:49 2014 : Error: rlm_eap (EAP): No EAP session matching state 0x58b807b453a81e77 Fri Jun 13 09:45:49 2014 : Auth: (11605) Login incorrect: [user729@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 1c-4b-d6-f7-b8-0c) Fri Jun 13 09:45:49 2014 : Error: rlm_eap (EAP): No EAP session matching state 0x58b807b453a81e77 [RESTART FR] Fri Jun 13 09:53:23 2014 : Info: Signalled to terminate Fri Jun 13 09:53:23 2014 : Info: Exiting normally Fri Jun 13 09:53:23 2014 : Info: rlm_ldap (ldap): Closing connection (0) Fri Jun 13 09:53:24 2014 : Info: rlm_ldap (ldap): Opening additional connection (0) Fri Jun 13 09:53:24 2014 : Info: Loaded virtual server <default> Fri Jun 13 09:53:24 2014 : Info: Loaded virtual server default Fri Jun 13 09:53:24 2014 : Info: Loaded virtual server inner-tunnel Fri Jun 13 09:53:24 2014 : Info: Ready to process requests Fri Jun 13 09:53:25 2014 : Info: ... adding new socket auth+acct from client (192.168.71.138, 45129) -> (*, 2083, virtual-server=default) Fri Jun 13 09:53:26 2014 : Info: ... adding new socket auth+acct from client (192.168.71.134, 53659) -> (*, 2083, virtual-server=default) Fri Jun 13 09:53:46 2014 : Auth: (89) Login OK: [user152@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 331 cli CC-3A-61-6C-9E-60 via TLS tunnel) Fri Jun 13 09:53:46 2014 : Auth: (90) Login OK: [user152@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 331 cli CC-3A-61-6C-9E-60) Fri Jun 13 09:54:27 2014 : Auth: (159) Login OK: [userxz@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 142 cli 68-A8-6D-0E-E4-CE via TLS tunnel) Fri Jun 13 09:54:27 2014 : Auth: (160) Login OK: [userxz@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 142 cli 68-A8-6D-0E-E4-CE) Fri Jun 13 09:54:39 2014 : Auth: (183) Login OK: [user152@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 13302 cli CC-3A-61-6C-9E-60 via TLS tunnel) Fri Jun 13 09:54:39 2014 : Auth: (184) Login OK: [user152@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 13302 cli CC-3A-61-6C-9E-60) Fri Jun 13 09:55:34 2014 : Auth: (235) Login OK: [user152@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 48802 cli cc3a.616c.9e60 via TLS tunnel) Fri Jun 13 09:55:34 2014 : Auth: (237) Login OK: [user152@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 48802 cli cc3a.616c.9e60) Fri Jun 13 09:55:40 2014 : Info: ... adding new socket proxy (132.195.90.135, 40115) -> home_server (192.168.71.134, 2083) Fri Jun 13 09:56:33 2014 : Auth: (363) Login OK: [user152@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 34070 cli cc3a.616c.9e60 via TLS tunnel) Fri Jun 13 09:56:33 2014 : Auth: (364) Login OK: [user152@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 34070 cli cc3a.616c.9e60) Fri Jun 13 09:59:03 2014 : Auth: (590) Login OK: [user152@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 61201 cli cc3a.616c.9e60 via TLS tunnel) Fri Jun 13 09:59:03 2014 : Auth: (591) Login OK: [user152@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 61201 cli cc3a.616c.9e60) Fri Jun 13 09:59:06 2014 : Info: rlm_ldap (ldap): Opening additional connection (1) Fri Jun 13 09:59:06 2014 : Auth: (615) Login OK: [user729@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 1c-4b-d6-f7-b8-0c via TLS tunnel) Fri Jun 13 09:59:06 2014 : Auth: (617) Login OK: [user729@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 1c-4b-d6-f7-b8-0c) Fri Jun 13 09:59:07 2014 : Auth: (630) Login OK: [user152@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 21912 cli CC-3A-61-6C-9E-60 via TLS tunnel) Fri Jun 13 09:59:07 2014 : Auth: (631) Login OK: [user152@uni-wuppertal.de] (from client radius2.eduroamclient.xy port 21912 cli CC-3A-61-6C-9E-60) Fri Jun 13 09:59:37 2014 : Info: rlm_ldap (ldap): Closing connection (0), from 1 unused connections Fri Jun 13 10:02:23 2014 : Auth: (1074) Login OK: [userxb@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 90-72-40-dd-6a-cc via TLS tunnel) Fri Jun 13 10:02:23 2014 : Auth: (1075) Login OK: [userxb@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 90-72-40-dd-6a-cc) Fri Jun 13 10:02:26 2014 : Auth: (1087) Login OK: [user932@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 12433 cli FC-25-3F-DC-34-4D via TLS tunnel) Fri Jun 13 10:02:26 2014 : Auth: (1088) Login OK: [user932@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 12433 cli FC-25-3F-DC-34-4D) Fri Jun 13 10:02:28 2014 : Auth: (1102) Login OK: [user932@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 12433 cli FC-25-3F-DC-34-4D via TLS tunnel) Fri Jun 13 10:02:28 2014 : Auth: (1103) Login OK: [user932@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 12433 cli FC-25-3F-DC-34-4D) Fri Jun 13 10:03:12 2014 : Auth: (1187) Login OK: [user932@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 12519 cli FC-25-3F-DC-34-4D via TLS tunnel) Fri Jun 13 10:03:12 2014 : Auth: (1188) Login OK: [user932@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 12519 cli FC-25-3F-DC-34-4D) Fri Jun 13 10:03:13 2014 : Auth: (1200) Login OK: [user729@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 1c-4b-d6-f7-b8-0c via TLS tunnel) Fri Jun 13 10:03:13 2014 : Auth: (1201) Login OK: [user729@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 1c-4b-d6-f7-b8-0c) Fri Jun 13 10:03:29 2014 : Auth: (1258) Login OK: [userxb@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 90-72-40-dd-6a-cc via TLS tunnel) Fri Jun 13 10:03:29 2014 : Auth: (1259) Login OK: [userxb@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 90-72-40-dd-6a-cc) Fri Jun 13 10:03:30 2014 : Auth: (1272) Login OK: [userxb@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 90-72-40-dd-6a-cc via TLS tunnel) Fri Jun 13 10:03:30 2014 : Auth: (1273) Login OK: [userxb@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 90-72-40-dd-6a-cc) Fri Jun 13 10:03:31 2014 : Auth: (1286) Login OK: [userxb@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 90-72-40-dd-6a-cc via TLS tunnel) Fri Jun 13 10:03:31 2014 : Auth: (1287) Login OK: [userxb@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli 90-72-40-dd-6a-cc) Fri Jun 13 10:04:27 2014 : Auth: (1361) Login OK: [user932@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 12754 cli FC-25-3F-DC-34-4D via TLS tunnel) Fri Jun 13 10:04:27 2014 : Auth: (1362) Login OK: [user932@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 12754 cli FC-25-3F-DC-34-4D) Fri Jun 13 10:05:20 2014 : Auth: (1489) Login OK: [user932@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 12964 cli FC-25-3F-DC-34-4D via TLS tunnel) Fri Jun 13 10:05:20 2014 : Auth: (1490) Login OK: [user932@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 12964 cli FC-25-3F-DC-34-4D) Fri Jun 13 10:05:50 2014 : Auth: (1543) Login OK: [userxb@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli f0-b4-79-14-a0-7d via TLS tunnel) Fri Jun 13 10:05:50 2014 : Auth: (1544) Login OK: [userxb@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 29 cli f0-b4-79-14-a0-7d) Fri Jun 13 10:06:16 2014 : Auth: (1563) Login OK: [user932@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 13158 cli FC-25-3F-DC-34-4D via TLS tunnel) Fri Jun 13 10:06:17 2014 : Auth: (1564) Login OK: [user932@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 13158 cli FC-25-3F-DC-34-4D) Fri Jun 13 10:06:21 2014 : Auth: (1579) Login OK: [user932@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 13175 cli FC-25-3F-DC-34-4D via TLS tunnel) Fri Jun 13 10:06:21 2014 : Auth: (1580) Login OK: [user932@uni-wuppertal.de] (from client radius1.eduroamclient.xy port 13175 cli FC-25-3F-DC-34-4D) -- --- Dipl.-Ing. Michael Simon ---- Bergische Universität Wuppertal - ZIM ------ Netzwerk- und Systemplanung -------- simon@uni-wuppertal.de --------- Tel. +49 202 439-2235 ---------- Fax. +49 202 439-2910
Michael Simon wrote:
After running FR 3.0.3 from GIT (FR 3.0.2 as well) for a while (a few hours) lots of “Error: rlm_eap (EAP): No EAP session matching state 0x…” appear in the log file.
The debug output would be a lot more helpful.
A restart of FR and the error messages are gone for the present.
These requests come from RADIUS over TLS (radsec) clients explained in /etc/freeradius/sites-available/tls
That shouldn't matter.
Is this a bug or a misconfiguration?
The server *should* work. Again, debug output would help a lot here. Alan DeKok.
Am 13.06.2014 13:42, schrieb Alan DeKok:
Michael Simon wrote:
After running FR 3.0.3 from GIT (FR 3.0.2 as well) for a while (a few hours) lots of “Error: rlm_eap (EAP): No EAP session matching state 0x…” appear in the log file.
A restart of FR and the error messages are gone for the present.
The debug output would be a lot more helpful.
Here is the debug output. The whole log size is 3.7MB (bz2 compressed) I also have a valgrind output. ==00:01:39:12.597 24025== LEAK SUMMARY: ==00:01:39:12.597 24025== definitely lost: 12,573 bytes in 34 blocks ==00:01:39:12.597 24025== indirectly lost: 53,791 bytes in 586 blocks ==00:01:39:12.597 24025== possibly lost: 2,049 bytes in 1 blocks ==00:01:39:12.597 24025== still reachable: 2,363,837 bytes in 22 blocks ==00:01:39:12.597 24025== suppressed: 0 bytes in 0 blocks ==00:01:33:10.179 24025== Conditional jump or move depends on uninitialised value(s) ==00:01:33:10.179 24025== at 0x40F4A4C: ??? (in /usr/lib/i386-linux-gnu/i686/cmov/libcrypto.so.1.0.0) ==00:01:33:10.179 24025== by 0x3801EE69: vgMemCheck_detect_memory_leaks (mc_leakcheck.c:1714) ==00:01:33:10.179 24025== by 0x42BE414: talloc_check_name (in /usr/lib/i386-linux-gnu/libtalloc.so.2.1.1) summary of an example: (1609) Login OK: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 34543 cli 0026.08dc.a8eb via TLS tunnel) (1610) Login OK: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 34543 cli 0026.08dc.a8eb) (1627) Login OK: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 751 cli 00-26-08-DC-A8-EB via TLS tunnel) (1628) Login OK: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 751 cli 00-26-08-DC-A8-EB) (1696) Login OK: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 34547 cli 80ea.96ad.cae3 via TLS tunnel) (1697) Login OK: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 34547 cli 80ea.96ad.cae3) (2132) Login OK: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 34566 cli 80ea.96ad.cae3 via TLS tunnel) (2133) Login OK: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 34566 cli 80ea.96ad.cae3) (2147) Login OK: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 744 cli 80-EA-96-AD-CA-E3 via TLS tunnel) (2148) Login OK: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 744 cli 80-EA-96-AD-CA-E3) (2602) Login incorrect: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 498 cli 80-EA-96-AD-CA-E3) (2671) Login incorrect: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 759 cli 80-EA-96-AD-CA-E3) (2994) Login incorrect: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 21111 cli 80-EA-96-AD-CA-E3) (2996) Login incorrect: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 21111 cli 80-EA-96-AD-CA-E3) (3002) Login incorrect: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 21113 cli 80-EA-96-AD-CA-E3) (3012) Login incorrect: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 21113 cli 80-EA-96-AD-CA-E3) (3018) Login incorrect: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 48469 cli 80-EA-96-AD-CA-E3) (3019) Login incorrect: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 48469 cli 80-EA-96-AD-CA-E3) (3039) Login incorrect: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 21118 cli 80-EA-96-AD-CA-E3) (3040) Login incorrect: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 21118 cli 80-EA-96-AD-CA-E3) example last "Login OK": (2148) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2148) authorize { (2148) filter_username filter_username { (2148) if (!User-Name) (2148) if (!User-Name) -> FALSE (2148) if (User-Name =~ / /) (2148) if (User-Name =~ / /) -> FALSE (2148) if (User-Name =~ /@.*@/ ) (2148) if (User-Name =~ /@.*@/ ) -> FALSE (2148) if (User-Name =~ /\\.\\./ ) (2148) if (User-Name =~ /\\.\\./ ) -> FALSE (2148) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (2148) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2148) if (User-Name =~ /\\.$/) (2148) if (User-Name =~ /\\.$/) -> FALSE (2148) if (User-Name =~ /@\\./) (2148) if (User-Name =~ /@\\./) -> FALSE (2148) } # filter_username filter_username = notfound (2148) if ( User-Name && ( User-Name !~ /^([a-z0-9._-]+)@([a-z0-9._-]+)[.]([a-z]{2,4})$/i ) || ( User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i ) ) (2148) if ( User-Name && ( User-Name !~ /^([a-z0-9._-]+)@([a-z0-9._-]+)[.]([a-z]{2,4})$/i ) || ( User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i ) ) -> FALSE (2148) [preprocess] = ok (2148) suffix : Looking up realm "uni-wuppertal.de" for User-Name = "user294@uni-wuppertal.de" (2148) suffix : Found realm "uni-wuppertal.de" (2148) suffix : Adding Stripped-User-Name = "user294" (2148) suffix : Adding Realm = "uni-wuppertal.de" (2148) suffix : Authentication realm is LOCAL (2148) [suffix] = ok (2148) eap : EAP packet type response id 12 length 43 (2148) eap : Continuing tunnel setup (2148) [eap] = ok (2148) } # authorize = ok (2148) Found Auth-Type = EAP (2148) # Executing group from file /etc/freeradius/sites-enabled/default (2148) authenticate { Waking up in 0.1 seconds. (2148) eap : Expiring EAP session with state 0x11574ddc115d54e6 (2148) eap : Finished EAP session with state 0x1e66753c156a6c95 (2148) eap : Previous EAP request found for state 0x1e66753c156a6c95, released from the list (2148) eap : Peer sent PEAP (25) (2148) eap : EAP PEAP (25) (2148) eap : Calling eap_peap to process EAP data (2148) eap_peap : processing EAP-TLS (2148) eap_peap : eaptls_verify returned 7 (2148) eap_peap : Done initial handshake (2148) eap_peap : eaptls_process returned 7 (2148) eap_peap : FR_TLS_OK (2148) eap_peap : Session established. Decoding tunneled attributes (2148) eap_peap : Peap state send tlv success (2148) eap_peap : Received EAP-TLV response (2148) eap_peap : Success (2148) eap_peap : Using saved attributes from the original Access-Accept Sending Access-Challenge Id 149 from 0.0.0.0:2083 to 192.178.71.138:27485 EAP-Message = 0x010c002b19001703010020a61f43fe889948870718b6d9a4375a8bc74af77ef47c7c4b6521c5f855157f5f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1e66753c156a6c9510f0431d79ab79e0 Proxy-State = 0x3130 User-Name = 'user294@uni-wuppertal.de' NAS-IP-Address = 10.41.1.41 NAS-Port = 744 Called-Station-Id = '00-0F-7D-C7-BD-F2:eduroam' Calling-Station-Id = '80-EA-96-AD-CA-E3' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 28Mbps/1Mbps 802.11n' EAP-Message = 0x020c002b19001703010020ef84b95ede65e49ded032fd66b6bdafc81ed37235630c269c9885ecdced372d5 State = 0x1e66753c156a6c9510f0431d79ab79e0 Message-Authenticator = 0xd314db0076e4a7e688ef1a0c3f018b94 Proxy-State = 0x3131 Stripped-User-Name = 'user294' User-Name = 'user294@uni-wuppertal.de' (2148) eap : Freeing handler (2148) [eap] = ok (2148) } # authenticate = ok (2148) Login OK: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 744 cli 80-EA-96-AD-CA-E3) (2148) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (2148) post-auth { (2148) remove_reply_message_if_eap remove_reply_message_if_eap { (2148) if (reply:EAP-Message && reply:Reply-Message) (2148) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (2148) else else { (2148) [noop] = noop (2148) } # else else = noop (2148) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (2148) update reply { (2148) Tunnel-Type := VLAN (2148) Tunnel-Medium-Type := IEEE-802 (2148) Tunnel-Private-Group-Id := 'eduroam' (2148) } # update reply = noop (2148) } # post-auth = noop (2148) Finished request example "No EAP session matching state" (3039) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3039) authorize { (3039) filter_username filter_username { (3039) if (!User-Name) (3039) if (!User-Name) -> FALSE (3039) if (User-Name =~ / /) (3039) if (User-Name =~ / /) -> FALSE (3039) if (User-Name =~ /@.*@/ ) (3039) if (User-Name =~ /@.*@/ ) -> FALSE (3039) if (User-Name =~ /\\.\\./ ) Waking up in 0.3 seconds. (3039) if (User-Name =~ /\\.\\./ ) -> FALSE (3039) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (3039) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (3039) if (User-Name =~ /\\.$/) (3039) if (User-Name =~ /\\.$/) -> FALSE (3039) if (User-Name =~ /@\\./) (3039) if (User-Name =~ /@\\./) -> FALSE (3039) } # filter_username filter_username = notfound (3039) if ( User-Name && ( User-Name !~ /^([a-z0-9._-]+)@([a-z0-9._-]+)[.]([a-z]{2,4})$/i ) || ( User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i ) ) (3039) if ( User-Name && ( User-Name !~ /^([a-z0-9._-]+)@([a-z0-9._-]+)[.]([a-z]{2,4})$/i ) || ( User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i ) ) -> FALSE (3039) [preprocess] = ok (3039) suffix : Looking up realm "uni-wuppertal.de" for User-Name = "user294@uni-wuppertal.de" (3039) suffix : Found realm "uni-wuppertal.de" (3039) suffix : Adding Stripped-User-Name = "user294" (3039) suffix : Adding Realm = "uni-wuppertal.de" (3039) suffix : Authentication realm is LOCAL (3039) [suffix] = ok (3039) eap : EAP packet type response id 9 length 6 (3039) eap : Continuing tunnel setup (3039) [eap] = ok (3039) } # authorize = ok (3039) Found Auth-Type = EAP (3039) # Executing group from file /etc/freeradius/sites-enabled/default (3039) authenticate { (3039) eap : Expiring EAP session with state 0x048451e3058748ec rlm_eap (EAP): No EAP session matching state 0x893a58798e334141 (3039) eap : Either EAP-request timed out OR EAP-response to an unknown EAP-request (3039) eap : Failed in handler (3039) [eap] = invalid (3039) } # authenticate = invalid (3039) Failed to authenticate the user (3039) Login incorrect: [user294@uni-wuppertal.de] (from client radius2.eduroam.xy port 21118 cli 80-EA-96-AD-CA-E3) (3039) Using Post-Auth-Type Reject (3039) # Executing group from file /etc/freeradius/sites-enabled/default (3039) Post-Auth-Type REJECT { (3039) attr_filter.access_reject : EXPAND %{User-Name} (3039) attr_filter.access_reject : --> user294@uni-wuppertal.de (3039) attr_filter.access_reject : Matched entry DEFAULT at line 11 (3039) [attr_filter.access_reject] = updated (3039) eap : Expiring EAP session with state 0x048451e3058748ec rlm_eap (EAP): No EAP session matching state 0x893a58798e334141 (3039) eap : Either EAP-request timed out OR EAP-response to an unknown EAP-request (3039) eap : Failed to get handler, probably already removed, not inserting EAP-Failure (3039) [eap] = noop (3039) remove_reply_message_if_eap remove_reply_message_if_eap { (3039) if (reply:EAP-Message && reply:Reply-Message) (3039) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (3039) else else { (3039) [noop] = noop (3039) } # else else = noop (3039) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (3039) } # Post-Auth-Type REJECT = updated (3039) Delaying response for 1 seconds Thread 5 waiting to be assigned a request Waking up in 0.6 seconds. (3039) Sending delayed response Waking up in 3.9 seconds. (3039) Cleaning up request packet ID 4 with timestamp +3458 another user with "No EAP session matching state" (2925) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2925) authorize { (2925) filter_username filter_username { (2925) if (!User-Name) (2925) if (!User-Name) -> FALSE (2925) if (User-Name =~ / /) (2925) if (User-Name =~ / /) -> FALSE (2925) if (User-Name =~ /@.*@/ ) (2925) if (User-Name =~ /@.*@/ ) -> FALSE (2925) if (User-Name =~ /\\.\\./ ) (2925) if (User-Name =~ /\\.\\./ ) -> FALSE (2925) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (2925) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2925) if (User-Name =~ /\\.$/) (2925) if (User-Name =~ /\\.$/) -> FALSE (2925) if (User-Name =~ /@\\./) (2925) if (User-Name =~ /@\\./) -> FALSE (2925) } # filter_username filter_username = notfound (2925) if ( User-Name && ( User-Name !~ /^([a-z0-9._-]+)@([a-z0-9._-]+)[.]([a-z]{2,4})$/i ) || ( User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i ) ) (2925) if ( User-Name && ( User-Name !~ /^([a-z0-9._-]+)@([a-z0-9._-]+)[.]([a-z]{2,4})$/i ) || ( User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i ) ) -> FALSE (2925) [preprocess] = ok (2925) suffix : Looking up realm "uni-wuppertal.de" for User-Name = "user940@uni-wuppertal.de" (2925) suffix : Found realm "uni-wuppertal.de" (2925) suffix : Adding Stripped-User-Name = "user940" (2925) suffix : Adding Realm = "uni-wuppertal.de" (2925) suffix : Authentication realm is LOCAL (2925) [suffix] = ok (2925) eap : EAP packet type response id 6 length 6 (2925) eap : Continuing tunnel setup (2925) [eap] = ok (2925) } # authorize = ok (2925) Found Auth-Type = EAP (2925) # Executing group from file /etc/freeradius/sites-enabled/default (2925) authenticate { (2925) eap : Expiring EAP session with state 0xc2b31edcc2b10778 rlm_eap (EAP): No EAP session matching state 0xea2b54dbee2d4d20 (2925) eap : Either EAP-request timed out OR EAP-response to an unknown EAP-request (2925) eap : Failed in handler (2925) [eap] = invalid (2925) } # authenticate = invalid (2925) Failed to authenticate the user (2925) Login incorrect: [user940@uni-wuppertal.de] (from client radius1.eduroam.xy port 13 cli 58:1f:aa:a5:7f:1a) (2925) Using Post-Auth-Type Reject (2925) # Executing group from file /etc/freeradius/sites-enabled/default (2925) Post-Auth-Type REJECT { (2925) attr_filter.access_reject : EXPAND %{User-Name} (2925) attr_filter.access_reject : --> user940@uni-wuppertal.de (2925) attr_filter.access_reject : Matched entry DEFAULT at line 11 (2925) [attr_filter.access_reject] = updated (2925) eap : Expiring EAP session with state 0xc2b31edcc2b10778 rlm_eap (EAP): No EAP session matching state 0xea2b54dbee2d4d20 (2925) eap : Either EAP-request timed out OR EAP-response to an unknown EAP-request (2925) eap : Failed to get handler, probably already removed, not inserting EAP-Failure (2925) [eap] = noop (2925) remove_reply_message_if_eap remove_reply_message_if_eap { (2925) if (reply:EAP-Message && reply:Reply-Message) (2925) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (2925) else else { (2925) [noop] = noop (2925) } # else else = noop (2925) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (2925) } # Post-Auth-Type REJECT = updated (2925) Delaying response for 1 seconds Thread 3 waiting to be assigned a request Waking up in 0.7 seconds. (2925) Sending delayed response
Michael Simon wrote:
Here is the debug output.
The whole log size is 3.7MB (bz2 compressed)
Please mail it to me off-list.
example "No EAP session matching state"
(3039) # Executing section authorize from file /etc/freeradius/sites-enabled/default
Which doesn't include the attributes from the packet, making it less useful. Alan DeKok.
Unfortunately you've trimmed too much here. The failing packet is not enough, the previous ones in the eap session matter as well in this case. -- Sent from my phone with, please excuse brevity and typos
participants (3)
-
Alan DeKok -
Michael Simon -
Phil Mayers