EAP-TTLS first connection works, other won't
Giovanni Lovato
giovanni.lovato at aldu.net
Sun Oct 5 03:43:54 CEST 2008
Alan DeKok wrote:
> Giovanni Lovato wrote:
>> Mmmm... After a little more investigation, I think it's the AP that
>> cause the problem: it receive an Access-Accept but ignores it, sends
>> another Access-Request and FR correctly generates an Access-Reject
>> because of the duplicate request. So it's not a FR issue, but if someone
>> has an advice on how to debug this, any help will be appreciated!
>
> Hmm... I think I see what's happening. The NAS is broken... it not
> only ignores the Access-Accept, but when it re-transmits the previous
> request, it does so with a *new* RADIUS Id. This means that the code in
> FreeRADIUS to detect retransmissions isn't used... and the packet is
> processed as a new request.
>
> If the NAS wasn't broken, it would re-transmit the request using the
> same RADIUS Id, and FreeRADIUS would send the same (saved) Access-Accept
> back, without doing any additional processing.
>
> The best advice is to replace the NAS. It's broken.
Thank you very much, your explanation is perfectly clear. The NAS is a
D-Link DWL-G700AP with a modified firmware (Wive). I'm trying it because
I need accounting and the original firmware doesn't send accounting
packets. I'll try to replace the daemon which does AAA on the NAS OS and
see if the issue persists.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3436 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081005/a93ebd37/attachment.bin>
More information about the Freeradius-Users
mailing list