Issue with EAP authentication on packet loss
Alan Buxey
alan.buxey at gmail.com
Wed Apr 25 10:19:35 CEST 2018
Find and fix the packet loss cause
alan
On Wed, 25 Apr 2018, 08:53 , <jm+freeradiususer at roth.lu> wrote:
> Hello,
>
> We have a problem when packet loss occurs at step #4 of the EAP dialogue:
> 1) Access-Request
> 2) Access-Challenge
> 3) Access-Request
> 4) Accept or Reject (in this case: Access-Accept)
> 5) Access-Request (duplicate)
> 6) Reject
>
> In this case, #4 is sent by the server but gets lost on its way to the
> NAS. I've managed to reproduce using iptables dropping the packet. So
> after some time the NAS sends packet #3 again. At that point I am
> getting "No EAP session matching state" from the eap module in the
> "authenticate" section and the request is rejected.
>
> This is consistent with what we see in step #4 (upon sending the
> Access-Accept which gets lost), namely this:
> (1) eap : Expiring EAP session with state 0x2f8521a02f84259c
> (1) eap : Finished EAP session with state 0x2f8521a02f84259c
> (1) eap : Previous EAP request found for state 0x2f8521a02f84259c,
> released from the list
>
> Who's at fault? How do you solve this (except for not using UDP)? Do you
> set aggressive timeouts/retries on the NAS?
>
> Thanks,
> Marki
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list