rlm_eap problem after upgrade from 2.1.12 to 2.2.5 via radsecproxy

[Thomas Boettcher]

Hi Alan,

thanks for your answer.

On 02.09.2014 18:13, Alan DeKok wrote:
> Thomas Boettcher wrote:
>> after upgrading from 2.1.12 to 2.2.5 without any configuration changes I
>> register an enormous (times 31 (562:17678 per day)) amount of error
>> messages:
>> "rlm_eap: No EAP session matching the State variable."
>
>    That's generally a proxy problem.  The client transmits a packet
> through proxy A, and retransmits the same packet through proxy B.

what me concerns is, that the problem occurs, when MY freeradius is 
upgraded. So it looks to me that the software is handling something 
within the eap more strictly.

>> Users from the remote locations brought me to the Problem since they are
>> authenticated OK and just seconds later the above error results in a
>> "Login incorrect".
>
>    No.  If they're authenticated OK, then they're authenticated.  There
> is no way to remotely fail an authentication which previously succeeded.

I analysed my logs and picked some users with high amounts of Login 
problems. Running in 2.1.12 there is also a high amount of Logins for 
this user at the remote site. The only difference is, that they all are 
accepted. In 2.2.5 I get this:
2 Login OK (outer and inner Tunnel)
5-10 secs later: rlm_eap State variable error with Login incorrect.
This repeats mostly every 30 seconds.
Leads me to the assumption, that the remote NAS is doing Login requests 
very ofter (maybe WLAN coverage holes or many autonomous APs).

>    Run the server in debugging mode.

I will get back, wenn set up a fresh radius server for debugging purpose.

Thomas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4807 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140903/a185bf29/attachment.bin>