EAP-TLS context uninitialized

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Jan 5 21:34:57 CET 2016


> On Jan 5, 2016, at 2:28 PM, Franks Andy (IT Technical Architecture Manager) <Andy.Franks at sath.nhs.uk> wrote:
> 
> Hi Arran,
>  I'll check the NAS but am confused as it should (to me) have been a problem before. Pre-auth is turned on, but never caused a problem previously.

That's different, you're talking about 802.11 PMK caching, this is TLS session resumption where the keys, certificates, and negotiated cipher suites from a previous TLS session are re-used.

TLS session resumption controlled by the cache section in the eap configuration file.  Should be a toggle.  If it's not there try using an updated version of the mods-available/eap file, many settings for cache control have changed.

> It seems to be generally worse when there are lots of auth requests, but then sometimes there's just one happening and it'll do it. It's not related to client detail, as sometimes a specific client is fine, and on another occasion it'll fail.
> I've yet to check it in non-debug mode, which is a bit daft of me, it's obviously running single threaded and echoing to screen, maybe that's slowing it to "not coping" point.

Not unless you're putting significant load on it.

> I'll keep digging, guess there's nothing obvious between versions?

No, and i've never seen that message before, but we have rewritten a lot of the EAP-TLS code in v3.1.x.

Knowing OpenSSL version would be useful too (output at the top of the radiusd -X output), I mostly test with 1.0.2 Travis will probably be 0.9.8 so interactions with 1.0.0 and 1.0.1 are not well tested.

-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160105/42487b2a/attachment.sig>


More information about the Freeradius-Users mailing list