multiple roundtrips in session
Alan DeKok
aland at deployingradius.com
Mon Jul 9 17:56:01 CEST 2018
On Jul 9, 2018, at 11:28 AM, Alex Sharaz via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> Some of our eduroam users have for quite some time been using EAP-TLS
> on their edge devices Normally this "just works" and I've certainly
> used it from various european eduroam sites quite happily.
>
> A bit closer to home however, today one of our TLS users tried to
> connect at Leeds and our end generated the following errors.
>
> Mon Jul 9 11:17:10 2018 : Auth: (10991893) Login incorrect (eap:
> rlm_eap (EAP): Aborting! More than 50 roundtrips made in session with
> state 0x1235fc092001f154): [rw557 at york.ac.uk] (from client
> roaming0.ja.net port 8 cli 8C-F5-A3-31-14-A8)
That's an issue. :(
> Don't seem to have any more info (we're running 3.0.17) and as this is
> the 1st time I've seen this, not sure what to do to reproduce it.
> Don't really want to run server in debug mode just on the off-chance I
> might see something.
It will give you a bit more information, but not much..
> Anything I can put in the config to generate some additional logs if
> it happens again ?
Not much.
The problem is that EAP-TLS should take ~18 packets to complete. If it's taking more than that, then something is very wrong. e.g.
* there really is that much data in the certs, so it needs 50 trips.
Not likely.
* there's some kind of pathological negotiation going on
The server is saying "let's do TLS", and the client says "no, let's do PEAP". The server says "OK, let's do PEAP", and the client goes "No, let's do TLS"... ad nauseum.
* something else is going on.
Magic. :(
Alan DeKok.
More information about the Freeradius-Users
mailing list