Issue with EAP authentication on packet loss

Stefan Winter stefan.winter at restena.lu
Wed Apr 25 10:45:08 CEST 2018


Hi,

> We have a problem when packet loss occurs at step #4 of the EAP dialogue:
> 1) Access-Request
> 2) Access-Challenge
> 3) Access-Request
> 4) Accept or Reject (in this case: Access-Accept)
> 5) Access-Request (duplicate)
> 6) Reject
> 
> In this case, #4 is sent by the server but gets lost on its way to the
> NAS. I've managed to reproduce using iptables dropping the packet. So
> after some time the NAS sends packet #3 again. At that point I am
> getting "No EAP session matching state" from the eap module in the
> "authenticate" section and the request is rejected.

To be fair, this is not limited to packet loss.

We've seen this in normal operations - the story goes like:
- server sends Access-Accept with an attribute X via a chain of proxies
- some proxy takes offence by the presence of attribute X, discards
- client times out and re-sends
- server has forgotten all about the session state, rejects

I believe the underlying issue is that FreeRADIUS thinks "fire and
forget" when the final packet is out.

IMHO it would be useful to maintain session state as it does for any of
the intermediate packets (30s by default?).

Stefan

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180425/95639140/attachment.sig>


More information about the Freeradius-Users mailing list