"WARNING: !! EAP session for state ... did not finish!", And Other Warnings

Jim Seymour jseymour at LinxNet.com
Sat Oct 3 02:08:45 CEST 2015

On Sat, 3 Oct 2015 00:01:14 +0100
Matthew Newton <mcn4 at leicester.ac.uk> wrote:

> So this is why you get on. The *second* auth request succeeds.

I wondered about that.  Thanks for the analysis, Matthew!

> > Cleaning up request 4 ID 4 with timestamp +32
> > WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > WARNING: !! EAP session for state 0x98bd76209cb86f3a did not
> > finish! WARNING: !! Please read
> > http://wiki.freeradius.org/guide/Certificate_Compatibility
> > WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Note state 0x98bd76209cb86f3a above - this is the *first* request.

Ah hah.  I would've tried to make that association (no pun intended),
but "for state <long-hex-string>" looked like some kind of, well,
*state*.  That's more like a... I dunno... session or sequence i.d.,
is it not?

> So the question is... why did the client reject the first auth,
> but then immediately re-try and accept the certificate the second
> time.
> I'd look at the client and see if you can get logs off it (hard on
> Windows I know, have to enable eap tracing, it's a right pig to
> read compared to -X on the server side...)

Ei yi yi :(

> to see why it rejected
> the first time - if you can get anything from it. I'm assuming the
> TLS Server OID is in the cert because it works the second time,
> but worth checking anyway.

How do I check that?

> Check the certificate chain to make sure that it all verifies OK
> and has nothing that looks odd about it.

It verifies.  What to look for that would be "odd" about it?

> Has the client got the
> root CA installed properly?

The client does not have the root CA installed at all.  That was
never necessary in the past.

Note: The exact same user account with the exact same username and
password exists on the production (live) network, and one of the APs
is the exact same hardware and firmware, and the client authenticates
just fine.  So does every one of the other 26 or so wireless clients.

> Try removing the entire client config and setting it up again.
> I've seen Win7 get itself confused and removing and adding the
> wireless settings has sorted it.

Well... okay.  I'll give it a try on Monday.

Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

More information about the Freeradius-Users mailing list