Issue with EAP authentication on packet loss
jm+freeradiususer at roth.lu
jm+freeradiususer at roth.lu
Wed Apr 25 09:52:59 CEST 2018
Hello,
We have a problem when packet loss occurs at step #4 of the EAP dialogue:
1) Access-Request
2) Access-Challenge
3) Access-Request
4) Accept or Reject (in this case: Access-Accept)
5) Access-Request (duplicate)
6) Reject
In this case, #4 is sent by the server but gets lost on its way to the
NAS. I've managed to reproduce using iptables dropping the packet. So
after some time the NAS sends packet #3 again. At that point I am
getting "No EAP session matching state" from the eap module in the
"authenticate" section and the request is rejected.
This is consistent with what we see in step #4 (upon sending the
Access-Accept which gets lost), namely this:
(1) eap : Expiring EAP session with state 0x2f8521a02f84259c
(1) eap : Finished EAP session with state 0x2f8521a02f84259c
(1) eap : Previous EAP request found for state 0x2f8521a02f84259c,
released from the list
Who's at fault? How do you solve this (except for not using UDP)? Do you
set aggressive timeouts/retries on the NAS?
Thanks,
Marki
More information about the Freeradius-Users
mailing list