generate_state() in rlm_eap module generates duplicate state ?

Mon Sep 24 22:36:41 CEST 2007

Hi,

I am using version freeradius ver 1.1.6 and I am observing a problem for
which I could not find an existing bug report. Here is the description

Problem description
I am testing a gateway appliance for large number of subscribers. I am
sending around 100 EAP-authentication requests (EAP-MD5) per second (or
more) to the freeradius server.  Before starting my request I changed the
max_requests configuration from 1024 to 8192. What I observed was that every
so often I would get an Access-Reject for a request which should have
succeeded and does succeed on subsequent attempts. I added debugs in the
free radius server and found out that in eap_authenticate the handler for
this request never gets inserted in the session tree. So the radius server
sends the Access-Challenge but when the gateway replies to the
Access-Challenge the radius server cannot find the EAP request handler in
the session tree and so the authentication fails.

On looking deeper in to the problem I saw that the reason the rbtree_insert
in eaplist_add() fails is because there is already a node in the tree with
the same state (PW_STATE), this node is for a different request altogether
and so the insert in to the tree fails. Since I send multiple requests from
the same gateway and the radius client on the gateway opens up 4 source
ports to the radius server we have can send 4 requests in the same second
that have the same ID and source IP address. The eap_handler_cmp() function
uses the STATE to distinguish requests if the id and source IP address are
the same, but in my case the state is also the same. Here is the relevant
debug log for it

Wed Sep 19 22:36:37 2007 : Info: STATE: Added state 82 f1 8b 49 6f bf b9 a4
ee 2a d3 d5 ef f8 ec 3b for {am= 1}201myid at mynet.net <1%7D201myid at mynet.net>
Sending Access-Challenge to {am= 1}201myid at mynet.net <1%7D201myid at mynet.net>
...
...
rad_recv: Access-Request packet from host 1.1.1.1:57979, id=8,
length=160        User-Name = "{am= 1}245myid at mynet.net
<1%7D245myid at mynet.net>"
...
Wed Sep 19 22:36:37 2007 : Info: STATE: Added state 82 f1 8b 49 6f bf b9 a4
ee 2a d3 d5 ef f8 ec 3b  for {am= 1}245myid at mynet.net<1%7D245myid at mynet.net>
Wed Sep 19 22:36:37 2007 : Error: Found duplicate data, Id = {am=
1}201myid at mynet.net <1%7D201myid at mynet.net>, State = 82 f1 8b 49 6f bf b9 a4
ee 2a d3 d5 ef f8 ec 3b
Wed Sep 19 22:36:37 2007 : Error: rlm_eap: Failed to remember handler!

I am guessing this can cause other problems, not sure if this can result in
sending Access-Accept to users who should not be authenticated but it
definitely rejects users who should be authenticated. Another problem I see
which seems related to this is that I receive Access-Accept on the gateway
for a valid user but the reply has an invalid message authenticator. I think
this is probably because it finds a different handler instead, but not sure
about that.

Is this a known bug ? If yes, is it fixed and in what release ? For now, I
am changing the eap_handler_cmp() function to compare the identity if the
state is the same, since in our lab setup we also have a unique identity for
each user, do you see a problem with doing this.

Thanks,
Vinay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070924/2d61ba68/attachment.html>