Question about a configuration entry in the eap.conf file

Terry Zarelli terry.zarelli at gmail.com
Sat Mar 18 01:02:49 CET 2006


This may seem off topic, but here it is:

I am currently using Freeradius 1.1.0 on Solaris 9 to authenticate
WPA  enabled clients using EAP-TLS.  I am using Cisco 1130 AG access points
controlled by a Cisco/Airespace 2000 Wireless Controller using the LWAPP
protocol.  I have just recently installed this setup and have about 6
clients on it now.  The users are reporting many disconnects and looking
through the log files of the 2000 Wireless Controller, I am seeing an too
many EAP-Identity Request retries(more than the the controller will allow;it
will not allow over 21 retries).  I also get "Authentication Aborted"
message-note that these are from the 2000 Wireless controller not the Radius
server logs.

I have attempted to run Radius in debug mode(radiusd -X) but cannot
decipher(as of yet) the messages returned.  Plus, it is hard to correlate
the connection drops with the Radius log file. So I am trying to narrow down
what may be causing the disconnects; and the reason for the original
question was a grab for straws on what that setting did and how it may
possibly relate to this problem.

BTW,
Freeradius is an excellent piece of software.  We use another Radius server
on Linux 7.1 running an early version(pre 1.0) to authenticate our VPN and
iPass accounts for a couple of years now and it works great. Actually we
use 4 Radius servers for our enterprise.  Thanks for the great work.

Thanks
Terry Zarelli


On 3/17/06, Alan DeKok <aland at ox.org> wrote:
>
> "Terry Zarelli" <terry.zarelli at gmail.com> wrote:
> > A list is maintained to correlate EAP-Response
> > packets with EAP-Request packets.  After a
> > configurable length of time, entries in the list
> > expire, and are deleted.
> >
> > timer_expire          =3D 60
>
> An EAP conversation spans multiple RADIUS packets.  So the server
> has to keep track of state to ensure that it doesn't forget about
> ongoing conversations.
>
> > What will happen if I change the timer value?
>
> If you set it too low, the server will forget about EAP
> conversations in the middle of the conversation.  If you set it too
> high, then someone can attack the server by sending it many partial
> EAP conversations, and making the server remember them all.
>
> What would you change the value to, and why?  If you're not sure
> what the configuration entry means, why would you want to change it?
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060317/696c000a/attachment.html>


More information about the Freeradius-Users mailing list