eap/ttls proxy: No EAP session matching the State variable.
Kadlecsik Jozsef
kadlec at mail.kfki.hu
Wed Sep 1 16:27:10 CEST 2010
On Wed, 1 Sep 2010, Alan DeKok wrote:
> Kadlecsik Jozsef wrote:
> > rad_recv: Access-Request packet from host 127.0.0.1 port 43327, id=0,
> length=160
> > User-Name = "anonymous at teszt.eduroam.hu"
>
> The original packet from eapol_test.
>
> > +- entering group pre-proxy {...}
> ...
> > Sending Access-Request of id 135 to 195.111.98.4 port 1812
> > User-Name = "anonymous at teszt.eduroam.hu"
>
> Which is proxied.
>
> > rad_recv: Access-Challenge packet from host 195.111.98.4 port 1812, id=67, length=67
>
> i.e. received an Access-Challenge from the home server.
>
> > Sending Access-Challenge of id 1 to 127.0.0.1 port 43327
>
> i.e. it's being sent back to eapol_test.
>
> > rad_recv: Access-Request packet from host 127.0.0.1 port 43327, id=2, length=240
>
> And the NAS is continuing the EAP conversation.
>
> > User-Name = "anonymous at teszt.eduroam.hu"
>
> And this packet isn't proxied.
>
> Why?
>
> > rlm_eap: No EAP session matching the State variable.
> > [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
>
> Since it isn't proxied, it's handled locallt.
I turned out that the default setting in the virtual server:
authorize {
...
eap {
ok = return
}
....
files
}
prevented the daemon to process the users file. From the debug log:
+[mschap] returns noop
[eap] EAP packet type response id 2 length 93
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
i.e, the users file was skipped.
Thanks for pointing out the local processing, somehow we did not realize
it.
Best regards,
Jozsef
--
E-mail : kadlec at mail.kfki.hu, kadlec at blackhole.kfki.hu
PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address: KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
More information about the Freeradius-Users
mailing list