No EAP session matching the State variable

Alan DeKok aland at
Fri May 16 14:52:54 CEST 2014

Contact (COEXSI) wrote:
> In the case of the bogus NAS I'm testing, it's quite different.
> The NAS send the first message with its own EAP identifier (normal).
> The server respond with a new EAP identifier that it has generated (seems
> normal).
> The NAS send the second message with a newly EAP identifier (different from
> the first one it has used and from the one received from the server)

  It's broken.  Such behavior is forbidden in EAP.  RFC 3748 says that
the identifier field MUST match.

> Can someone can confirm that the EAP identifier to be used in the exchange
> is the one chosen by the server?

  Yes.  EAP-Requests are sent by the server to the client.
EAP-Responses are sent from the client to the server.  The identifier in
the EAP response has to match the identifier in the EAP request.

  Alan DeKok.

More information about the Freeradius-Users mailing list