Help troubleshooting No EAP session matching...

Alan DeKok aland at
Thu Sep 15 16:16:19 CEST 2016

On Sep 15, 2016, at 9:57 AM, Dave Aldwinckle <daldwinc at> wrote:
> During periods of high load, we are seeing many messages like the following:
> radiusd[28187]: rlm_eap: No EAP session matching the State variable.
> I understand the meaning of the message, but I need some assistance on how to go about locating the source of the problem.

  If it's high load, the problem is starvation.  Either the CPU is overloaded, or the back-end is overloaded.

> During peak times, we have about 8K wireless logins per minute, for extended periods. We have 6 wireless controllers, from which the Access-Requests are sent. Due to the high load, I am unable to run the server with -X, because it gets crushed while running single threaded. I can use radmin, but I'm not sure what to set the debug condition to.
> I don't see any errors about child processes being hung, or winbind/ntlm_auth taking too long.

  Yeah, ntlm_auth typically maxes out at 100 to 200 authentications per second.  That's likely the problem.

> $ openssl speed rsa2048
> Doing 2048 bit private rsa's for 10s: 5263 2048 bit private RSA's in 10.01s
> Doing 2048 bit public rsa's for 10s: 176233 2048 bit public RSA's in 10.00s

  The server should be able to do 1000 or more EAP authentications per second.

> So, a couple questions:
> 1. Is there a way to get more info along with the message "rlm_eap: No EAP session matching the State variable." ?
>    - eg. Which NAS it came from, calling-station-id, etc.

  The NAS information is in the other attributes.  You can look at the post-auth-type Reject to log things.

> 2. Are the aforementioned values OK?

  They're fine.

  Alan DeKok.

More information about the Freeradius-Users mailing list