Debugging "No EAP session matching the State variable"
I run two freeradius servers (both 2.2.0 x86_64) with MySQL backends doing ntlm_auth (RHEL 6 Samba 3.6.9) for EAP-PEAP-MSChapV2 for our client devices. I have enabled the server debug using radmin (the debug file is HUUUUUGE so that is why I am not posting it along with). I have googled and read and analyzed as much as I can so I am looking to the list to see if anyone has experienced this problem. I was concentrating on a single user mhaley: Sep 16 08:40:33 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:40:42 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:40:42 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:40:54 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:40:54 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:41:22 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:41:22 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:41:33 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:41:33 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:41:49 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:41:49 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:42:08 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:42:08 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:42:12 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:42:12 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:42:15 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:42:15 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 09:57:56 newdvlanb radiusd[15211]: Invalid user: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81) Sep 16 09:58:01 newdvlanb radiusd[15211]: Invalid user: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81) Sep 16 09:58:57 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 09:58:57 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81) Sep 16 10:03:42 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 10:03:42 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81) Sep 16 10:03:49 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 10:03:54 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81) Sep 16 10:06:09 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 10:06:09 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81) Sep 16 10:36:10 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 10:36:10 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81) Around there (without the OK's, I am seeing many of this style of message): Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [jwalters38] (from client resnet1-WiSM-A port 13 cli a8:26:d9:34:bc:5f) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [arogers44] (from client Rich-core-WiSM-E port 29 cli a8:06:00:cc:6b:29) Sep 16 09:57:56 newdvlanb radiusd[15211]: Invalid user: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [bboggess3] (from client Rich-core-WiSM-E port 29 cli 40:a6:d9:9a:9a:53) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [cparker31] (from client Rich-core-WiSM-E port 29 cli 88:53:95:79:ea:0c) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [djohnson77] (from client Rich-core-WiSM-E port 29 cli 60:45:bd:f2:7e:a8) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [lnichols3] (from client Rich-core-WiSM-E port 29 cli e0:75:7d:4e:97:bb) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [oanachebe3] (from client Rich-core-WiSM-E port 29 cli 98:d6:f7:5f:aa:cf) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [bmcgowan6] (from client Rich-core-WiSM-E port 29 cli c8:aa:21:39:7e:32) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [yyu98] (from client Rich-core-WiSM-E port 29 cli 9c:3a:af:60:ed:bc) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. I need some guidance on what to enable, what to look for, etc. to fix this. I will be glad to post a full debug log (this server is very busy, but it's beefy beefy so should be handling things). I'll gladly post the multi megabyte debug log somewhere with a date/time of when things are occurring. Within the debug mode, I didn't see a way for me to follow a given thread of authentication. It looks like (forgive me if I am misreading) the debug messages are interleaved. There appears to be a process ID (5357?) but that same guide number style doesn't appear in the debug (allowing me to focus in on that one authentication session). It appears to be doing ok, but these failed auth's may appear to the end user as a wireless session drop so I am very concerned. [root@newdvlana 2013]# /services/snacks/lawn/util/radius-server-status.sh Received response ID 28, code 2, length = 140 FreeRADIUS-Total-Access-Requests = 14103212 FreeRADIUS-Total-Access-Accepts = 2072612 FreeRADIUS-Total-Access-Rejects = 132162 FreeRADIUS-Total-Access-Challenges = 11896299 FreeRADIUS-Total-Auth-Responses = 14101073 FreeRADIUS-Total-Auth-Duplicate-Requests = 430 FreeRADIUS-Total-Auth-Malformed-Requests = 0 FreeRADIUS-Total-Auth-Invalid-Requests = 0 FreeRADIUS-Total-Auth-Dropped-Requests = 1824 FreeRADIUS-Total-Auth-Unknown-Types = 0 After finding some messages on the devel list, I saw some reference to memory clean up but that was a while ago so not sure how valid that comment/problem is in the 2.2.0 version. How should I approach this problem? - John Douglass, Sr. Systems IT/Architect
Hi,
Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable.
turn on full debug for just a single User-Name or Calling-Station-Id (check radmin docs). whats your authentication clean-up/tidy up times - as if the clients dont respond then the session is cleared away and so no matching state/session will be found. also, what clients are these? Android, for example, has an annoying thign where 802.1X networks that have credentials stored need the credential store to be unlocked before they'll authenticate to that 802.1X network again. also, check your wireless domain. find some of these clients (CSI) on your wireless management dashboard and find out what their relationship with nearest APs is - they could be being mobile between APs in a nasty way or during authencication so a packet or 2 is mising. remmeber, with eg 802.1X and PEAP you've got 11 packets or more to be shunted over wireless (and UDP!) for an authentication. if you've allowed clients to join to APs at really low rates and borderline connections, this can cause grief. alan
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
John Douglass