This may seem off topic, but here it is:
I am currently using Freeradius 1.1.0 on Solaris 9 to authenticate WPA enabled clients using EAP-TLS. I am using Cisco 1130 AG access points controlled by a Cisco/Airespace 2000 Wireless Controller using the LWAPP protocol. I have just recently installed this setup and have about 6 clients on it now. The users are reporting many disconnects and looking through the log files of the 2000 Wireless Controller, I am seeing an too many EAP-Identity Request retries(more than the the controller will allow;it will not allow over 21 retries). I also get "Authentication Aborted" message-note that these are from the 2000 Wireless controller not the Radius server logs.
I have attempted to run Radius in debug mode(radiusd -X) but cannot decipher(as of yet) the messages returned. Plus, it is hard to correlate the connection drops with the Radius log file. So I am trying to narrow down what may be causing the disconnects; and the reason for the original question was a grab for straws on what that setting did and how it may possibly relate to this problem.
BTW,
Freeradius is an excellent piece of software. We use another Radius server on Linux 7.1 running an early version(pre 1.0) to authenticate our VPN and iPass accounts for a couple of years now and it works great. Actually we use 4 Radius servers for our enterprise. Thanks for the great work.
Thanks
Terry Zarelli
On 3/17/06, Alan DeKok <[EMAIL PROTECTED]> wrote:
"Terry Zarelli" <[EMAIL PROTECTED]> wrote:
> A list is maintained to correlate EAP-Response
> packets with EAP-Request packets. After a
> configurable length of time, entries in the list
> expire, and are deleted.
>
> timer_expire =3D 60
An EAP conversation spans multiple RADIUS packets. So the server
has to keep track of state to ensure that it doesn't forget about
ongoing conversations.
> What will happen if I change the timer value?
If you set it too low, the server will forget about EAP
conversations in the middle of the conversation. If you set it too
high, then someone can attack the server by sending it many partial
EAP conversations, and making the server remember them all.
What would you change the value to, and why? If you're not sure
what the configuration entry means, why would you want to change it?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
