Error: rlm_eap: No EAP session matching the State variable.

Alan DeKok aland at
Mon Apr 12 09:08:09 CEST 2010

Rupesh Kumar wrote:
> I am using latest freeradius server (version 2.1.8).

  Which AP && supplicant (client PC) are you using?

> I have two authenticated sessions established with radius server and
> when disable and reenable the dot1x sessions, then I am seeing the
> following error and one request is getting Reject message from the server.
> Is it a known issue in radius server or what is the root cause of it.

  The supplicant and/or the Access Point is broken.

> I have attached radius server failure log messages

  The supplicant starts EAP, and the server responds with a request for
EAP-TLS.  The supplicant NAKs it, and asks for EAP-MD5.  The server
responds with EAP-MD5.

  The supplicant then responds with a NAK for EAP-MD5.  This packet from
the AP contains the *old* State variable from the previous NAK.

  A close look at the packet traces shows that either the supplicant is
re-using the old NAK (and confusing the AP), or the AP is re-using an
old packet (and confusing the supplicant).

  Either way, the packet traces on the server show that the server is
behaving correctly.  The error message about "no matching state" is
because the server has moved on to the *next* step of EAP, and it
receives a packet from the *previous* step.  So there really is "no
matching state".

  Try using another supplicant and/or AP.  You won't be able to fix this
by editing the server configuration.

  Alan DeKok.

More information about the Freeradius-Users mailing list