Hi users,
There's an availability concern need to confirm about PF Freeradius module.
Hope you can help.
We deployed PF v7.3 in centos 7 in our office. For the wireless connection, we
use 802.1x auth and configured PF as the aaa server and AD as the actual
authentication source.
Last week when we deployed it in one of our new office, both PF and AD work
well in the first.Then at about 11:30 there's a network instability from the
core switch and that might caused all device clients disconnected from wireless
ssid. When the network restored, it seemed PF couldn't handle all the auth
requests and kept responding reject to all the requests.
As I checked the radius.log, I found it kept recording "No EAP session matching
state xxxxxx" and then "Too many open sessions. Try increasing "max_sessions"
in the EAP module configuration" errors.
Now our network team blamed it on our PF system since the wireless became
normal after they switched the aaa server to the old cisco acs. I know the root
cause is network instability but I don't know if PF really had nothing to do
with the issue, as I saw the errors below. Could you pls confirm what below
errors means and whether it would cause availability issue ?
Dec 18 11:45:01 pf-wensi auth[591]: (300735) Login incorrect: [sunnyli] (from
client 172.26.2.251 port 0 cli f4:5c:89:c2:83:bb)
Dec 18 11:45:01 pf-wensi auth[591]: [mac:b4:0b:44:70:14:bb] Rejected user:
ziweezhang
Dec 18 11:45:01 pf-wensi auth[591]: rlm_sql (sql): Opening additional
connection (6131), 1 of 62 pending slots used
Dec 18 11:45:01 pf-wensi auth[591]: Need 1 more connections to reach min
connections (3)
Dec 18 11:45:01 pf-wensi auth[591]: (300731) Login incorrect: [ziweezhang]
(from client 172.26.2.251 port 0 cli b4:0b:44:70:14:bb)
Dec 18 11:45:01 pf-wensi auth[591]: rlm_eap (EAP): Too many open sessions. Try
increasing "max_sessions" in the EAP module configuration
Dec 18 11:45:00 pf-wensi auth[591]: [mac:f8:59:71:94:f7:dd] Rejected user:
garcyli
Dec 18 11:45:00 pf-wensi auth[591]: (300707) Login incorrect: [shiyuzhu] (from
client 172.26.2.251 port 0 cli 8c:85:90:63:b2:dd)
Dec 18 11:45:00 pf-wensi auth[591]: [mac:cc:b8:a8:5d:e7:dd] Rejected user: xiabo
Dec 18 11:45:00 pf-wensi auth[591]: (300703) Login incorrect: [xiabo] (from
client 172.26.2.251 port 0 cli cc:b8:a8:5d:e7:dd)
Dec 18 11:45:00 pf-wensi auth[591]: [mac:dc:2b:2a:13:6b:aa] Rejected user:
siriliu
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Opening additional
connection (6130), 1 of 63 pending slots used
Dec 18 11:45:00 pf-wensi auth[591]: Need 2 more connections to reach min
connections (3)
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Opening additional
connection (6129), 1 of 64 pending slots used
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection (6126):
Hit idle_timeout, was idle for 706 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection (6127):
Hit idle_timeout, was idle for 711 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection (6125):
Hit idle_timeout, was idle for 711 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection (6120):
Hit idle_timeout, was idle for 713 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection (6092):
Hit idle_timeout, was idle for 737 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection (6110):
Hit idle_timeout, was idle for 738 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection (6123):
Hit idle_timeout, was idle for 738 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection (6124):
Hit idle_timeout, was idle for 739 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection (6128):
Hit idle_timeout, was idle for 740 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection (6095):
Hit idle_timeout, was idle for 741 seconds
Dec 18 11:45:00 pf-wensi auth[591]: (300699) Login incorrect: [siriliu] (from
client 172.26.2.251 port 0 cli dc:2b:2a:13:6b:aa)
Dec 18 11:45:00 pf-wensi auth[591]: rlm_eap (EAP): Too many open sessions. Try
increasing "max_sessions" in the EAP module configuration
...
...
...
Dec 18 11:33:25 pf-wensi auth[591]: (280571) eap: ERROR: rlm_eap (EAP): No EAP
session matching state 0x481e9673481a8f7a
Dec 18 11:33:24 pf-wensi auth[591]: [mac:98:01:a7:00:96:ff] Rejected user: skylv
Dec 18 11:33:24 pf-wensi auth[591]: (280566) eap: ERROR: rlm_eap (EAP): No EAP
session matching state 0x6a9c26bb6f9b3fab
Dec 18 11:33:24 pf-wensi auth[591]: (280566) Login incorrect (eap: rlm_eap
(EAP): No EAP session matching state 0x6a9c26bb6f9b3fab): [skylv] (from client
172.26.2.251 port 0 cli 98:01:a7:00:96:ff)
Dec 18 11:33:24 pf-wensi auth[591]: (280566) eap: ERROR: rlm_eap (EAP): No EAP
session matching state 0x6a9c26bb6f9b3fab
Dec 18 11:33:24 pf-wensi auth[591]: [mac:dc:a9:03:91:cc:ff] Rejected user:
lilyliu
Dec 18 11:33:24 pf-wensi auth[591]: (280565) eap: ERROR: rlm_eap (EAP): No EAP
session matching state 0x883e7f4b8b3b6661
Dec 18 11:33:24 pf-wensi auth[591]: (280565) Login incorrect (eap: rlm_eap
(EAP): No EAP session matching state 0x883e7f4b8b3b6661): [lilyliu] (from
client 172.26.2.251 port 0 cli dc:a9:03:91:cc:ff)
Dec 18 11:33:24 pf-wensi auth[591]: (280565) eap: ERROR: rlm_eap (EAP): No EAP
session matching state 0x883e7f4b8b3b6661
Dec 18 11:33:24 pf-wensi auth[591]: [mac:f4:5c:89:96:ee:ff] Rejected user:
biubiuliu
Dec 18 11:33:24 pf-wensi auth[591]: (280562) eap: ERROR: rlm_eap (EAP): No EAP
session matching state 0x773b673f743e7e67
Dec 18 11:33:24 pf-wensi auth[591]: (280562) Login incorrect (eap: rlm_eap
(EAP): No EAP session matching state 0x773b673f743e7e67): [biubiuliu] (from
client 172.26.2.251 port 0 cli f4:5c:89:96:ee:ff)
Dec 18 11:33:24 pf-wensi auth[591]: (280562) eap: ERROR: rlm_eap (EAP): No EAP
session matching state 0x773b673f743e7e67
Dec 18 11:33:15 pf-wensi auth[591]: (280530) Login OK: [windge] (from client
172.26.2.251 port 0 cli ac:bc:31:94:54:aa)
Dec 18 11:33:15 pf-wensi auth[591]: [mac:ac:bc:31:94:54:aa] Accepted user: and
returned VLAN
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
