Help troubleshooting No EAP session matching...
aland at deployingradius.com
Thu Sep 15 16:16:19 CEST 2016
On Sep 15, 2016, at 9:57 AM, Dave Aldwinckle <daldwinc at uwaterloo.ca> wrote:
> During periods of high load, we are seeing many messages like the following:
> radiusd: rlm_eap: No EAP session matching the State variable.
> I understand the meaning of the message, but I need some assistance on how to go about locating the source of the problem.
If it's high load, the problem is starvation. Either the CPU is overloaded, or the back-end is overloaded.
> During peak times, we have about 8K wireless logins per minute, for extended periods. We have 6 wireless controllers, from which the Access-Requests are sent. Due to the high load, I am unable to run the server with -X, because it gets crushed while running single threaded. I can use radmin, but I'm not sure what to set the debug condition to.
> I don't see any errors about child processes being hung, or winbind/ntlm_auth taking too long.
Yeah, ntlm_auth typically maxes out at 100 to 200 authentications per second. That's likely the problem.
> $ openssl speed rsa2048
> Doing 2048 bit private rsa's for 10s: 5263 2048 bit private RSA's in 10.01s
> Doing 2048 bit public rsa's for 10s: 176233 2048 bit public RSA's in 10.00s
The server should be able to do 1000 or more EAP authentications per second.
> So, a couple questions:
> 1. Is there a way to get more info along with the message "rlm_eap: No EAP session matching the State variable." ?
> - eg. Which NAS it came from, calling-station-id, etc.
The NAS information is in the other attributes. You can look at the post-auth-type Reject to log things.
> 2. Are the aforementioned values OK?
More information about the Freeradius-Users