2.1.10 Certificate Compatibility Warning
Alan DeKok
aland at deployingradius.com
Thu Jan 6 11:18:29 CET 2011
Ben Wiechman wrote:
> I've been testing EAP-TTLS/MSCHAPv2 authentication with a network
> device. FreeRADIUS keeps complaining about EAP sessions not finishing
> with the link to the certificate compatibility wiki link, however the
> authentication process completes successfully. Looking at the packet
> exchanges more carefully it appears that the supplicant is not
> incrementing the Packet Identifier. Every EAP packet sent by the
> device uses an packet identifier of 0.
Ahh... a *RADIUS* packet identifier of 0. That's... rude.
> Digging through the RFCs I didn't find a requirement that the Packet
> Identifier be incremented, only the note that it is used to correlate
> requests and responses. This is obviously probably more difficult if
> it never changes.
It can be re-used when the client receives a reply.
> Is it a requirement that the NAS increment or change this value? It
> would definitely seem to be the preferred choice. Or is the server a
> bit too aggressive in detecting incomplete EAP sessions in this case?
It's a bit aggressive. The check for incomplete sessions is done when
the RADIUS packet is deleted. In the *normal* case, the old packet is
cleaned up after ~3-4 seconds. In this case, it's deleted *immediately*
when the server receives a new request.
The solution is simple, and can go into 2.1.11.
Alan DeKok.
More information about the Freeradius-Users
mailing list