Indeterministic EAP error
Matthias Nagel
matthias.h.nagel at gmail.com
Thu Oct 4 17:45:30 CEST 2012
Hello,
sometimes I get the error
WARNING: !! EAP session for state 0xABCDEFGHIJKLMNOP did not finish!
in my log files / debug output. Before anybody says have a look at
http://deployingradius.com/documents/configuration/eap-problems.html
that will help, please read on, because I already have done that and I believe the problem is a little bit more tricky.
I support PEAP+MsCHAPv2 only and 90% of time it just works. I am pretty sure that the certificate is all right. If anybody wants to check it, one can find it here
https://freeradius:eaperror@www.stud.uni-karlsruhe.de/~uzbii/hekauth-certs.pem
The certificate file includes all intermediate issuers and the trusted CA. The CA is Germany's biggest telco, so most OSes ship with that by default. The certificate also includes the X509v3 Extended Key Usage TLS Web Client and Authentication and TLS Web Server Authentication in order to satisfy Windows clients.
My radius config looks like that:
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_file = ${certdir}/hekauth-key.pem
certificate_file = ${certdir}/hekauth-certs.pem
# CA_file =
CA_path = ${certdir}/empty-by-purpose/
If a new client connects for the very first time, most OSes automatically detect the correct authentication scheme, ask for username and password, present the certificate for confirmation and it works out of the box. (No errors on neither client nor server side.)
Randomly, I get this error message although the respective client normally works. In that case the client just restarts the authentication and then succeeds on the second trial. Hence the only difference the user might notice is an authentication that might take some milliseconds longer.
During the last four days there have been 1278 such errors, 2519 session, 9651 successful authentication attempts, i.e. each session triggered approximately 3.8 re-authentications, 93 different clients and at least 6 different OSes.
I cannot find any pattern, so I do not believe it to be a client side issue.
Of course, one can argue to ignore the warning as it works most of the time, but I do not like indeterministically behaving IT systems, hence it preys on my mind.
Has anybody an idea what the reason might be? If anybody wants to see a full debug output or a tcpdump, I can provide you with plenty of that. But I could not find anything.
Yours, Matthias
----------------------------------------------------------------------
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe
Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: matthias.h.nagel at gmail.com
ICQ: 499797758
Skype: nagmat84
More information about the Freeradius-Users
mailing list