Issue with EAP authentication on packet loss
Alan DeKok
aland at deployingradius.com
Wed Apr 25 16:51:14 CEST 2018
On Apr 25, 2018, at 10:45 AM, jm+freeradiususer at roth.lu wrote:
> Unfortunately, that doesn't seem to be the case.
>
> Final packet sent to the NAS (which is lost):
> (5) eap: Expiring EAP session with state 0x88491844885a1c9c
> (5) eap: Finished EAP session with state 0x88491844885a1c9c
> (5) eap: Previous EAP request found for state 0x88491844885a1c9c, released from the list
>
> NAS retries after 15 < cleanup_delay = 20 seconds: No success: (even Wireshark detects it as a duplicate, so I guess it is actually a repetition of the initial packet)
If it's a duplicate packet, then the duplicate detection cache should catch it. Especially if cleanup_delay is 20 seconds, and the NAS retransmits after 15.
> (6) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x88491844885a1c9c
> (6) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
> (6) eap: Failed in handler
That means the packet *wasn't* found in the duplicate detection cache.
If it can be reproduced in 6 packets, then do "radiusd -Xx" and send that to the list. This is one of the few times where the extra 'x' is useful.
Alan DeKok.
More information about the Freeradius-Users
mailing list