Jonathan.Gazeley at bristol.ac.uk
Thu Feb 11 15:28:08 CET 2016
On 11/02/16 09:51, A.L.M.Buxey at lboro.ac.uk wrote:
>> Is there are a way to fabricate EAP/MSCHAPv2 packets such that we
>> can reliably provoke the server into using session resumption or
>> not? This way we would be able able to
>> test->capture->debug->fix->repeat much more quickly.
> use eapol_test from the wpa_supplicant system
> its likely that you have some policy or unlang corner-case that isnt
> matching the cache...or you arent querying the existing cache entry
> and adding other stuff based on the new NAS id - possibly roaming
> events between 2 seperate controllers etc etc
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've captured a debug log which contains two authentications, both of
which are successful. I have disabled the TLS cache so session
resumption shouldn't occur.
However, something seems odd with the EAP session state expiry. The
attached log came from a single AP connected to a single WISM in our lab
(so this rules out roaming events between controllers and/or APs).
From what I can tell, the server is trying to repeatedly expire EAP
session with state 0x6fc3095a6cc610be. This session is first mentioned
on line 3805 but e.g. on line 4012 it is expired but mentioned alongside
another session. From then onwards, every packet that is handled tries
to expire 0x6fc3095a6cc610be but mentions finishing a different session
(e.g. line 4013)
Is this normal?
More information about the Freeradius-Users