Issue with EAP authentication on packet loss

Alan DeKok aland at
Wed Apr 25 16:51:14 CEST 2018

On Apr 25, 2018, at 10:45 AM, jm+freeradiususer at wrote:
> Unfortunately, that doesn't seem to be the case.
> Final packet sent to the NAS (which is lost):
> (5) eap: Expiring EAP session with state 0x88491844885a1c9c
> (5) eap: Finished EAP session with state 0x88491844885a1c9c
> (5) eap: Previous EAP request found for state 0x88491844885a1c9c, released from the list
> NAS retries after 15 < cleanup_delay = 20 seconds: No success: (even Wireshark detects it as a duplicate, so I guess it is actually a repetition of the initial packet)

  If it's a duplicate packet, then the duplicate detection cache should catch it.  Especially if cleanup_delay is 20 seconds, and the NAS retransmits after 15.

> (6) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x88491844885a1c9c
> (6) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
> (6) eap: Failed in handler

  That means the packet *wasn't* found in the duplicate detection cache.

  If it can be reproduced in 6 packets, then do "radiusd -Xx" and send that to the list.  This is one of the few times where the extra 'x' is useful.

  Alan DeKok.

More information about the Freeradius-Users mailing list