EAP_PEAP authentication failing if set to higher rate if greater than 600 TPS.
Alan DeKok
aland at deployingradius.com
Tue Jun 15 14:13:16 CEST 2021
On Jun 15, 2021, at 7:16 AM, saurabha badhai <saurabha.badhai at gmail.com> wrote:
> Using freeradius server set EAP_PEAP method for authentication. When try to
> do more authentication per second may be 600 or higher, seeing errors at
> radius server.
>
> I am using freeradius version 3.0.13 to test,
Use 3.0.23. It has a lot of improvements, including better TLS messages. It's available as a CentOS7 package:
https://networkradius.com/packages/
> Tue Jun 15 16:37:23 2021 : ERROR: (296599) eap: ERROR: rlm_eap (EAP): No
> EAP session matching state 0x6e130c1e6e1215a6
The server has to track EAP messages across multiple packets. It does that via the State attribute.
That message means that the server has given up on an EAP message, and deleted it as too old / too many. Then after that happened, the client sent another EAP message for that session.
Try editing mods-available/eap, and setting
max_sessions = 100000
or maybe a higher number. It *might* help.
> Tue Jun 15 16:37:23 2021 : ERROR: (296602) eap_peap: ERROR: TLS Alert
> read:fatal:decode error
> Tue Jun 15 16:37:23 2021 : ERROR: (296602) eap_peap: ERROR: TLS_accept:
> Failed in SSLv3 read client key exchange A
Internal TLS / OpenSSL errors. That's out of our control.
If your system can't handle 600 auths/s, then your solutions are:
a) lower the number of packets hitting the server
b) upgrade the server to faster CPU / memory / etc.
Alan DeKok.
More information about the Freeradius-Devel
mailing list