eap/ttls proxy: No EAP session matching the State variable.
Alan DeKok
aland at deployingradius.com
Wed Sep 1 11:38:37 CEST 2010
Kadlecsik Jozsef wrote:
> We have a working freeradius setup, with one exception: when guests try to
> authenticate (EduRoam) it always fails.
You are trying to do EAP locally, *and* proxy EAP to another server.
> Here follows the output of eapol_test:
That isn't necessary.
> And the debugging log of our freeradius server:
That helps.
> rad_recv: Access-Request packet from host 127.0.0.1 port 43327, id=0,
length=160
> User-Name = "anonymous at teszt.eduroam.hu"
The original packet from eapol_test.
> +- entering group pre-proxy {...}
...
> Sending Access-Request of id 135 to 195.111.98.4 port 1812
> User-Name = "anonymous at teszt.eduroam.hu"
Which is proxied.
> rad_recv: Access-Challenge packet from host 195.111.98.4 port 1812, id=67, length=67
i.e. received an Access-Challenge from the home server.
> Sending Access-Challenge of id 1 to 127.0.0.1 port 43327
i.e. it's being sent back to eapol_test.
> rad_recv: Access-Request packet from host 127.0.0.1 port 43327, id=2, length=240
And the NAS is continuing the EAP conversation.
> User-Name = "anonymous at teszt.eduroam.hu"
And this packet isn't proxied.
Why?
> rlm_eap: No EAP session matching the State variable.
> [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
Since it isn't proxied, it's handled locallt.
If you simply configure a realm "teszt.eduroam.hu", and tie it to the
home server, it *will* work. You've clearly done something else, where
the first packet is proxied (somehow), and the later ones aren't.
i.e. you've spent time creating a *complicated* proxy decision that
doesn't work, rather than using the *simple* proxying method that is
included with the server.
Alan DeKok.
More information about the Freeradius-Users
mailing list