No EAP session matching the State variable

Contact (COEXSI) contact at coexsi.fr
Thu May 15 23:34:26 CEST 2014


Dear all,

I'm trying to setup EAP-MD5 authentication with a NAS that's looking bogus
in my opinion.

The exchange start correctly, the NAS is sending an Access-Request packet
with an EAP Response giving its identity
The server is responding by an Access-Challenge and a state variable.
Then, the NAS is send an second Access-Request with the challenge and the
state variable.
The server is responding by an Access-Reject because there is "No EAP
session matching the State variable".

After comparing the exchange with the provided test tool "radtest -t
eap-md5", I have noticed a difference in the message EAP identifiers used
(not the RADIUS identifier)

With the "radtest" client, the first sent Access-Request message contains a
random EAP identifier generated by the client.
The server answer with an "Access-Challenge" changing the EAP identifier to
its own identifier (different from the one provided by the client) and the
state variable.
The "radtest" client then send the challenge response using the EAP
identifier received from the server (and forgetting the one it has used for
its first message).
The server keep the EAP identifier in the last message sent (Access-Accept).

In the case of the bogus NAS I'm testing, it's quite different.
The NAS send the first message with its own EAP identifier (normal).
The server respond with a new EAP identifier that it has generated (seems
normal).
The NAS send the second message with a newly EAP identifier (different from
the first one it has used and from the one received from the server)
The server then complains about "No EAP session matching the State variable"
and send a "Access-Reject"

I think this message is because of EAP identifier mismatch as the NAS didn't
use the EAP identifier chosen by the server.
Can someone can confirm that the EAP identifier to be used in the exchange
is the one chosen by the server?

Best regards,
Sebastien.




More information about the Freeradius-Users mailing list