EAPTLS Stress test: 2.1.7
leopold
vova_b at yahoo.com
Wed Sep 30 20:43:35 CEST 2009
Hi,
We tried to stress test (EAPTLS) FreeRADIUS 2.1.7 which sits behind Load
Balancer
We had 2 FreeRADIUS servers behind load balancer (R1,R2)
Some requests got rejected (Access-Reject was sent) and the log showed
Wed Sep 30 11:56:31 2009 : Error: rlm_eap: No EAP session matching the State
variable.
Wed Sep 30 11:56:31 2009 : Error: rlm_eap: No EAP session matching the State
variable.
Wed Sep 30 11:56:31 2009 : Error: rlm_eap: No EAP session matching the State
variable.
Wed Sep 30 11:56:31 2009 : Error: rlm_eap: No EAP session matching the State
variable.
Now we understand that if EAPTLS session started (we have 10
Access-Challenge messages because of our certificate chain) against Radius_1
and then continued to Radius_2 because load balancer reverted it there then
EAPTLS handshake cannot succeed, but we expected that FreeRADIUS should drop
packets and NOT RESPOND instead of sending Access-Reject when it cannot find
STATE variable
By looking at the code we think eap_tls module returns RLM_MODULE_INVALID or
RLM_MODULE_FAIL when it cannot find EAP session in the tree.
What is proper configuration that we can do?
Is something like this recommended?
authorize {
..
eap {
ok = return
updated = return
handled = return
}
if (invalid) {
do_not_respond
}
# if we reach here then Auth-Type != EAP
..
}
Thanks you for your response
--
View this message in context: http://www.nabble.com/EAPTLS-Stress-test%3A-2.1.7-tp25686662p25686662.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list