Re: [PacketFence-users] Would Freeradius work well after reaching the max_sessions in the EAP module ?

Thu, 28 Dec 2017 15:26:14 -0800 

Hello Yan,
when it happen, it's more ntlm_auth that take time to answer and behind ntlm_auth it's the Active Directory that is not able to handle so many requests. 

Take a look at the ntlm_auth response graph.


The thing you can do is to enable nthash caching in PacketFence, in this 
case pf will fetch the nthash key in the AD and push it in the cache.



With this solution there is no need to call ntlm_auth on each 802.1x 
requests.


Regards

Fabrice



Le 2017-12-24 ?? 23:01, Yan a ??crit?0?2:

Hi users,


There's an availability concern need to confirm about PF Freeradius 
module. Hope you can help.



We deployed PF v7.3 in centos 7 in our office. For the wireless 
connection, we use 802.1x auth and configured PF as the aaa server and 
AD as the actual authentication source.



Last week when we deployed it in one of our new office, both PF and AD 
work well in the first.Then at about 11:30 there's a network 
instability from the core switch and that might caused all device 
clients disconnected from wireless ssid. When the network restored, it 
seemed PF couldn't handle all the auth requests and kept responding 
reject to all the requests.



As I checked the radius.log, I found it kept recording "*_No EAP 
session matching state xxxxxx_*" and then "_*Too many open sessions. 
Try increasing "max_sessions" in the EAP module configuration*_" errors.



Now our network team blamed it on our PF system since the wireless 
became normal after they switched the aaa server to the old cisco acs. 
I know the root cause is network instability but I don't know if PF 
really had nothing to do with the issue, as I saw the errors below. 
*Could you pls confirm what below errors means and whether it would 
cause availability issue ?*



Dec 18 11:45:01 pf-wensi auth[591]: (300735) Login incorrect: 
[sunnyli] (from client 172.26.2.251 port 0 cli f4:5c:89:c2:83:bb)
Dec 18 11:45:01 pf-wensi auth[591]: [mac:b4:0b:44:70:14:bb] Rejected 
user: ziweezhang
Dec 18 11:45:01 pf-wensi auth[591]: rlm_sql (sql): Opening additional 
connection (6131), 1 of 62 pending slots used
Dec 18 11:45:01 pf-wensi auth[591]: Need 1 more connections to reach 
min connections (3)
Dec 18 11:45:01 pf-wensi auth[591]: (300731) Login incorrect: 
[ziweezhang] (from client 172.26.2.251 port 0 cli b4:0b:44:70:14:bb)
_*Dec 18 11:45:01 pf-wensi auth[591]: rlm_eap (EAP): Too many open 
sessions. Try increasing "max_sessions" in the EAP module configuration*_
Dec 18 11:45:00 pf-wensi auth[591]: [mac:f8:59:71:94:f7:dd] Rejected 
user: garcyli
Dec 18 11:45:00 pf-wensi auth[591]: (300707) Login incorrect: 
[shiyuzhu] (from client 172.26.2.251 port 0 cli 8c:85:90:63:b2:dd)
Dec 18 11:45:00 pf-wensi auth[591]: [mac:cc:b8:a8:5d:e7:dd] Rejected 
user: xiabo
Dec 18 11:45:00 pf-wensi auth[591]: (300703) Login incorrect: [xiabo] 
(from client 172.26.2.251 port 0 cli cc:b8:a8:5d:e7:dd)
Dec 18 11:45:00 pf-wensi auth[591]: [mac:dc:2b:2a:13:6b:aa] Rejected 
user: siriliu
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Opening additional 
connection (6130), 1 of 63 pending slots used
Dec 18 11:45:00 pf-wensi auth[591]: Need 2 more connections to reach 
min connections (3)
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Opening additional 
connection (6129), 1 of 64 pending slots used
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection 
(6126): Hit idle_timeout, was idle for 706 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection 
(6127): Hit idle_timeout, was idle for 711 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection 
(6125): Hit idle_timeout, was idle for 711 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection 
(6120): Hit idle_timeout, was idle for 713 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection 
(6092): Hit idle_timeout, was idle for 737 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection 
(6110): Hit idle_timeout, was idle for 738 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection 
(6123): Hit idle_timeout, was idle for 738 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection 
(6124): Hit idle_timeout, was idle for 739 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection 
(6128): Hit idle_timeout, was idle for 740 seconds
Dec 18 11:45:00 pf-wensi auth[591]: rlm_sql (sql): Closing connection 
(6095): Hit idle_timeout, was idle for 741 seconds
Dec 18 11:45:00 pf-wensi auth[591]: (300699) Login incorrect: 
[siriliu] (from client 172.26.2.251 port 0 cli dc:2b:2a:13:6b:aa)
Dec 18 11:45:00 pf-wensi auth[591]: rlm_eap (EAP): Too many open 
sessions. Try increasing "max_sessions" in the EAP module configuration

...
...
...

*_Dec 18 11:33:25 pf-wensi auth[591]: (280571) eap: ERROR: rlm_eap 
(EAP): No EAP session matching state 0x481e9673481a8f7a_*
Dec 18 11:33:24 pf-wensi auth[591]: [mac:98:01:a7:00:96:ff] Rejected 
user: skylv
Dec 18 11:33:24 pf-wensi auth[591]: (280566) eap: ERROR: rlm_eap 
(EAP): No EAP session matching state 0x6a9c26bb6f9b3fab
Dec 18 11:33:24 pf-wensi auth[591]: (280566) Login incorrect (eap: 
rlm_eap (EAP): No EAP session matching state 0x6a9c26bb6f9b3fab): 
[skylv] (from client 172.26.2.251 port 0 cli 98:01:a7:00:96:ff)
Dec 18 11:33:24 pf-wensi auth[591]: (280566) eap: ERROR: rlm_eap 
(EAP): No EAP session matching state 0x6a9c26bb6f9b3fab
Dec 18 11:33:24 pf-wensi auth[591]: [mac:dc:a9:03:91:cc:ff] Rejected 
user: lilyliu
Dec 18 11:33:24 pf-wensi auth[591]: (280565) eap: ERROR: rlm_eap 
(EAP): No EAP session matching state 0x883e7f4b8b3b6661
Dec 18 11:33:24 pf-wensi auth[591]: (280565) Login incorrect (eap: 
rlm_eap (EAP): No EAP session matching state 0x883e7f4b8b3b6661): 
[lilyliu] (from client 172.26.2.251 port 0 cli dc:a9:03:91:cc:ff)
Dec 18 11:33:24 pf-wensi auth[591]: (280565) eap: ERROR: rlm_eap 
(EAP): No EAP session matching state 0x883e7f4b8b3b6661
Dec 18 11:33:24 pf-wensi auth[591]: [mac:f4:5c:89:96:ee:ff] Rejected 
user: biubiuliu
Dec 18 11:33:24 pf-wensi auth[591]: (280562) eap: ERROR: rlm_eap 
(EAP): No EAP session matching state 0x773b673f743e7e67
Dec 18 11:33:24 pf-wensi auth[591]: (280562) Login incorrect (eap: 
rlm_eap (EAP): No EAP session matching state 0x773b673f743e7e67): 
[biubiuliu] (from client 172.26.2.251 port 0 cli f4:5c:89:96:ee:ff)
Dec 18 11:33:24 pf-wensi auth[591]: (280562) eap: ERROR: rlm_eap 
(EAP): No EAP session matching state 0x773b673f743e7e67
Dec 18 11:33:15 pf-wensi auth[591]: (280530) Login OK: [windge] (from 
client 172.26.2.251 port 0 cli ac:bc:31:94:54:aa)
Dec 18 11:33:15 pf-wensi auth[591]: [mac:ac:bc:31:94:54:aa] Accepted 
user: and returned VLAN



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to