Logging more details about "No EAP session matching state"
David Aldwinckle
daldwinc at uwaterloo.ca
Thu Nov 14 18:05:50 CET 2019
Hi List,
In my logs I am seeing these:
Nov 14 11:50:20 cn-aaa-2 radiusd[24511]: rlm_eap (EAP): No EAP session matching state 0x2682170726800eca
I’m trying to use linelog to record more information about that particular failure, but I can’t seem to find an attribute that contains the right state ID (“0x2682170726800eca”, in the example above). I’d like to find out which NAS these failures are coming from, and start my troubleshooting there.
in sites-enabled/default:
Post-Auth-Type REJECT {
attr_filter.access_reject
# Insert EAP-Failure message if the request was
# rejected by policy instead of because of an
# authentication failure
eap
if (&Module-Failure-Message && &Realm =~ /uwaterloo/) {
log_state
}
In mods-enabled/linelog:log_state, my message format for Access-Reject is:
“EAP error: [%{request:User-Name}] with state [%{State}] and message [%{session-state:Module-Failure-Message} %{request:Module-Failure-Message}] from NAS [%{client:shortname}]"
An example of the output is show below:
EAP error: [someone at uwaterloo.ca] with state [0xc9c06774c1ca7e415d240b6e1dfce69a] and message [mschap: Program returned code (1) and output 'Logon failure (0xc000006d)' eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed] from NAS [prod2-east.eduroam.ca]
The state recorded in linelog never matches the state in the “No EAP session” message, no matter what is contained in [%{session-state:Module-Failure-Message} %{request:Module-Failure-Message}].
Can anyone suggest a way to correlate “No EAP session matching state 0x2682170726800eca” with other attributes from the access request?
Thanks,
Dave
Dave Aldwinckle
Networks Supervisor | Network Services
Information Systems and Technology | University of Waterloo
200 University Ave W | Waterloo, ON | N2L 3G1
519-888-4567 Ext. 41145 | daldwinc at uwaterloo.ca
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4179 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20191114/c60113a0/attachment.bin>
More information about the Freeradius-Users
mailing list