EAP-TLS constant disconnects

Uros Kolar host.uros at gmail.com
Mon Nov 26 09:29:28 CET 2012 

Phil, thank you for your reply!

I've tried to debug as you suggest. I run wireshark on the remote side +
tcpdump on the server side.

The results are really interesting and not expected.

As the client is disconnected, it sends an auth request to the server.
Server gets the request and after a successful authentication it sends back
Access-Accept. Client gets this message. However, immediately after a
successful authantication, it starts with the authentication process again
and it loops like that. In the test time Access-Accept was granted 7 times,
but client was still without connection and retrying.

For tests I used a linux client on the remote side. After running dhclient
for a couple of times the connection is usualy restored, sometimes it even
takes to take down the interface and bring it up again to restore the
connection.

As of my understanding this does not prove a weak wifi as a reason for
failure, as it does not prove that it is not the cause for trouble.
Additionaly, there seems te be something else, besides wireless, which I
can't explain, so feel free to commend and sugest!

Regards!


On Fri, Nov 23, 2012 at 10:54 AM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:

> On 11/23/2012 08:03 AM, Uros Kolar wrote:
>
>> Hi all!
>>
>> We've been using freeradius 2.1.12 with EAP-TLS authentication. The
>> problem we experience is constant disconnects of the clients. After an
>> some time (it seems like the intervals are random) of usage the
>> connection drops. I don't have a debug output, since the server is in
>> production allready and because of the valid traffic it's hard to
>> efficiently debug it that way.
>>
>> A similar problem was allready reported some years ago (without an
>> answer - at least not in that thread): http://bit.ly/10o9xkG
>>
>
> The issue described in that post is symptomatic of wireless problems -
> interference, low signal, etc. - not RADIUS problems. The "EAP Identity"
> retries he mentions are on the *wireless* side i.e. the AP asking the
> client to start a re-auth.
>
> You problem also sounds like wireless to me; FreeRADIUS either:
>
>  * receives auth requests and sends an accept
>  * receives auth requests and sends a reject
>  * receives auth requests that the client never completes
>
> It doesn't somehow magically disconnect the client (well, unless you're
> using the CoA functionality and you *ask* it to).
>
> I would suggest starting the debugging at the wireless side. Wait for a
> report of a disconnect, then search your logs.
>
> You could also start a rolling tcpdump on the RADIUS server of all auth
> traffic, and then search it for an auth request - I bet you don't see one.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121126/8b0e94e7/attachment.html>

More information about the Freeradius-Users mailing list