Wegener, Norbert wrote:
> We are seeing an increasing number of eap error messages:
> 
> Error: rlm_eap: No EAP session matching the State variable
> 
> As mentioned in the Changelog in later version an eap error has been detected 
> and fixed in 2.1.4
> Fix EAP-TLS bug.  Patch from Arnaud Ebalard
> 
> Is this bug-fix related to the error messageabove so that upgrading alone 
> would help?

  I don't think it's related.  That fix addressed the issue of large
amounts of data inside of the TLS tunnel.

  The error you're seeing is usually caused by EAP packets coming in 60
seconds apart.  When the EAP session takes too long to process, the
server deletes the context.  See "timer_expire" in eap.conf.

  Another possible reason for the error is that the NAS is sending EAP
packets from different source IP's.  The EAP sessions are keyed by
(source IP, EAP Id, State).

  If you have load-balanced RADIUS proxies in between the NAS and the
final server, then packets for the same EAP could pass through proxy 1
*or* proxy 2.  That would confuse the EAP module.

  e.g.

  NAS ---->  proxy 1  -----> home AAA
      \--->  proxy 2  ----/

  If the home AAA sees the EAP session as coming from "proxy 1", it
won't like packets for the *same* session coming from "proxy 2".

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to