Wegener, Norbert wrote: > We are seeing an increasing number of eap error messages: > > Error: rlm_eap: No EAP session matching the State variable > > As mentioned in the Changelog in later version an eap error has been detected > and fixed in 2.1.4 > Fix EAP-TLS bug. Patch from Arnaud Ebalard > > Is this bug-fix related to the error messageabove so that upgrading alone > would help?
I don't think it's related. That fix addressed the issue of large amounts of data inside of the TLS tunnel. The error you're seeing is usually caused by EAP packets coming in 60 seconds apart. When the EAP session takes too long to process, the server deletes the context. See "timer_expire" in eap.conf. Another possible reason for the error is that the NAS is sending EAP packets from different source IP's. The EAP sessions are keyed by (source IP, EAP Id, State). If you have load-balanced RADIUS proxies in between the NAS and the final server, then packets for the same EAP could pass through proxy 1 *or* proxy 2. That would confuse the EAP module. e.g. NAS ----> proxy 1 -----> home AAA \---> proxy 2 ----/ If the home AAA sees the EAP session as coming from "proxy 1", it won't like packets for the *same* session coming from "proxy 2". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html