eap/ttls proxy: No EAP session matching the State variable.

Alan DeKok aland at deployingradius.com
Wed Sep 1 11:38:37 CEST 2010

Kadlecsik Jozsef wrote:
> We have a working freeradius setup, with one exception: when guests try to 
> authenticate (EduRoam) it always fails.

  You are trying to do EAP locally, *and* proxy EAP to another server.

> Here follows the output of eapol_test:

  That isn't necessary.

> And the debugging log of our freeradius server:

  That helps.

> rad_recv: Access-Request packet from host port 43327, id=0,
>	User-Name = "anonymous at teszt.eduroam.hu"

  The original packet from eapol_test.

> +- entering group pre-proxy {...}
> Sending Access-Request of id 135 to port 1812
>	User-Name = "anonymous at teszt.eduroam.hu"

  Which is proxied.

> rad_recv: Access-Challenge packet from host port 1812, id=67, length=67

  i.e. received an Access-Challenge from the home server.

> Sending Access-Challenge of id 1 to port 43327

  i.e. it's being sent back to eapol_test.

> rad_recv: Access-Request packet from host port 43327, id=2, length=240

  And the NAS is continuing the EAP conversation.

> 	User-Name = "anonymous at teszt.eduroam.hu"

  And this packet isn't proxied.


> rlm_eap: No EAP session matching the State variable.
> [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request

  Since it isn't proxied, it's handled locallt.

  If you simply configure a realm "teszt.eduroam.hu", and tie it to the
home server, it *will* work.  You've clearly done something else, where
the first packet is proxied (somehow), and the later ones aren't.

  i.e. you've spent time creating a *complicated* proxy decision that
doesn't work, rather than using the *simple* proxying method that is
included with the server.

  Alan DeKok.

More information about the Freeradius-Users mailing list