EAP-TTLS first connection works, other won't
Alan DeKok
aland at deployingradius.com
Sat Oct 4 09:36:57 CEST 2008
Giovanni Lovato wrote:
> Mmmm... After a little more investigation, I think it's the AP that
> cause the problem: it receive an Access-Accept but ignores it, sends
> another Access-Request and FR correctly generates an Access-Reject
> because of the duplicate request. So it's not a FR issue, but if someone
> has an advice on how to debug this, any help will be appreciated!
Hmm... I think I see what's happening. The NAS is broken... it not
only ignores the Access-Accept, but when it re-transmits the previous
request, it does so with a *new* RADIUS Id. This means that the code in
FreeRADIUS to detect retransmissions isn't used... and the packet is
processed as a new request.
If the NAS wasn't broken, it would re-transmit the request using the
same RADIUS Id, and FreeRADIUS would send the same (saved) Access-Accept
back, without doing any additional processing.
The best advice is to replace the NAS. It's broken.
Alan DeKok.
More information about the Freeradius-Users
mailing list