EAPTLS Stress test: 2.1.7

leopold vova_b at yahoo.com
Wed Sep 30 20:43:35 CEST 2009


Hi,
We tried to stress test (EAPTLS) FreeRADIUS 2.1.7 which sits behind Load
Balancer 
We had 2 FreeRADIUS servers behind load balancer (R1,R2)

Some requests got rejected (Access-Reject was sent) and the log showed 

Wed Sep 30 11:56:31 2009 : Error: rlm_eap: No EAP session matching the State
variable.
Wed Sep 30 11:56:31 2009 : Error: rlm_eap: No EAP session matching the State
variable.
Wed Sep 30 11:56:31 2009 : Error: rlm_eap: No EAP session matching the State
variable.
Wed Sep 30 11:56:31 2009 : Error: rlm_eap: No EAP session matching the State
variable.

Now we understand that if EAPTLS session started (we have 10
Access-Challenge messages because of our certificate chain) against Radius_1
and then continued to Radius_2 because load balancer reverted it there then
EAPTLS handshake cannot succeed, but we expected that FreeRADIUS should drop
packets and NOT RESPOND instead of sending Access-Reject when it cannot find
STATE variable

By looking at the code we think eap_tls module returns RLM_MODULE_INVALID or
RLM_MODULE_FAIL when it cannot find EAP session in the tree.


What is proper configuration that we can do?
Is something like this recommended?

authorize {
..
        eap {
                ok = return
                updated = return
                handled = return
        }
        if (invalid) {
                do_not_respond
        }

        # if we reach here then Auth-Type != EAP
..
}

Thanks you for your response
-- 
View this message in context: http://www.nabble.com/EAPTLS-Stress-test%3A-2.1.7-tp25686662p25686662.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.




More information about the Freeradius-Users mailing list