EAP Session problems

Cardinal-Richards, Emma e.cardinal-richards at ucl.ac.uk
Mon Sep 8 11:21:23 CEST 2014

> On 8 Sep 2014, at 09:18, Cardinal-Richards, Emma <e.cardinal-
> richards at ucl.ac.uk> wrote:
> > I'm experiencing a problem with EAP sessions/new conversations not
> starting when I'm using the Janet testing as shown below.
> I'm not sure I fully understand your current configuration - are you saying
> that you're routing test.ucl.ac.uk from your production radius servers, via the
> national proxies, back to your pre-production servers?

I believe that's the process of the test as per the guidance from JANET here?  This is for testing purposes, not our final configuration.

"ORPS Testing
Setting an ORPS to testdev allows organisations to bring up a test box and for it to only be sent specific test traffic during logic/rules checking etc. eduroam administrators will need to generate such test traffic themselves, eg. by using rad_eap_test with the username 'testuser at test.youruniversity.ac.uk' to do a 'loopback test' to the new systems. This can be done by using your live systems:

'testuser at test.youruniversity.ac.uk' -> Production ORPS -> NRPS -> Testdev ORPS

For this test realm handling facility to work eduroam administrators do NOT have to specifically configure a 'test' sub-realm (eg.'test.youruniversity.ac.uk') in the Realms section of eduroam Support."

I was just concerned that this behaviour would mean our roaming clients would fail to authenticate back to us when they're visiting another institution.

> The issue seems to be that your client is responding too slowly:
> > Finished request 0.
> > Going to the next request
> > Waking up in 4.9 seconds.
> > Cleaning up request 0 ID 1 with timestamp +17
> Increase the cleanup delay in radiusd.conf and requests should complete -
> but over 5 seconds is an obscenely long time, things should be much faster.

Dropping it to 3 seconds fixes it.. 

> Could you give an overview of where the requests being transmitted to the
> NRPS are originating from?

Sorry do you mean the client? I tested from my Linux (Ubuntu) laptop and my colleagues Windows 7 laptop with the same behaviour.

> > The other odd behaviour is that despite getting a REJECT from this testdev
> server, I get authenticated by our production ORPS using
> 'username at test.ucl.ac.uk' which is not a declared local realm on the
> production ORPS.
> We'd need to see a log from the production servers to investigate this.

Just wondering is this technically correct behaviour (will have to organise a specific time to run it in debug on our live servers..) my 'test' user gets authenticated on my test ORPS so the NRPS tell my production ORPS (as if they are another institution I'm visiting) to allow me on the network?


More information about the Freeradius-Users mailing list