2.1.10 Certificate Compatibility Warning

Alan DeKok aland at deployingradius.com
Thu Jan 6 11:18:29 CET 2011

Ben Wiechman wrote:
> I've been testing EAP-TTLS/MSCHAPv2 authentication with a network
> device. FreeRADIUS keeps complaining about EAP sessions not finishing
> with the link to the certificate compatibility wiki link, however the
> authentication process completes successfully. Looking at the packet
> exchanges more carefully it appears that the supplicant is not
> incrementing the Packet Identifier. Every EAP packet sent by the
> device uses an packet identifier of 0.

  Ahh... a *RADIUS* packet identifier of 0.  That's... rude.

> Digging through the RFCs I didn't find a requirement that the Packet
> Identifier be incremented, only the note that it is used to correlate
> requests and responses. This is obviously probably more difficult if
> it never changes.

  It can be re-used when the client receives a reply.

> Is it a requirement that the NAS increment or change this value? It
> would definitely seem to be the preferred choice. Or is the server a
> bit too aggressive in detecting incomplete EAP sessions in this case?

  It's a bit aggressive.  The check for incomplete sessions is done when
the RADIUS packet is deleted.  In the *normal* case, the old packet is
cleaned up after ~3-4 seconds.  In this case, it's deleted *immediately*
when the server receives a new request.

  The solution is simple, and can go into 2.1.11.

  Alan DeKok.

More information about the Freeradius-Users mailing list