'Re: "No EAP session matching state" - logging'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: "No EAP session matching state" - logging
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2020-10-13 19:08:18
Message-ID: 8802138D-AC6D-4FFF-8577-8F4096D022C7 () deployingradius ! com
[Download RAW message or body]

On Oct 13, 2020, at 12:16 PM, Robert Franklin <rcf34@cam.ac.uk> wrote:
> Please excuse I haven't got a "radiusd -X" debugging output for this -- trying to \
> catch one is quite difficult, given the intermittent nature of the problem, the \
> difficulty matching a problematic supplicant and the volume of traffic I'm sifting \
> through, as well as the issue being on a NAS that's behind a downstream proxy (but \
> I'm responsible for the home server[*]) and with a supplicant I don't have access \
> to, so I thought I'd start with general principles first, just to check my \
> understanding is correct...

  Sometimes it's fine to not have debugging issues.

> I am investigating a situation where we're getting an Access-Reject reply being \
> sent, with a Module-Failure-Message of "No EAP session matching state ...".  The \
> previous connection successful attempt was several minutes before and the \
> supplicant repeatedly tries for a minute, with errors showing this state number, \
> then I get messages with another state number, etc.  Eventually it successfully \
> connects, so I get streams such as: 
> 2020-10-13 15:44:41 [various challenges] + Access-Accept
> 
> 2020-10-13 15:47:41 Access-Reject: No EAP session matching state 0xc600f921c5e0e014
> 2020-10-13 15:47:43 Access-Reject: No EAP session matching state 0xc600f921c5e0e014

  Something is doing retransmits *after* the previous packets have been replied to, \
or have expired.  This is bad.

  It's generally the supplicant, or maybe the NAS.  And there's little you can do to \
"fix" FreeRADIUS when something *else* is broken.

  Note also that the state is 16 bytes, and not all of it is being printed.  So the \
"No EAP session" messages may be for multiple packets.

  From my magic 8-ball, I can tell that the State attributes are for the first or \
second packets in an EAP session.  So the session isn't really getting established.

> Is there anything I can infer from this, or would I need a full debug log for an \
> affected supplicant?  I assume these sessions either never existed (and the \
> supplicant is just plain broken) or they were previous sessions that have been \
> cleaned up (which I believe happens after 5 seconds - these go on for longer).

  Pretty much.  The server is replying, and the reply never makes it to the \
supplicant.  So the supplicant retransmits, going "hey, what's up?".  The NAS sees \
that, re-uses the old State... and the server goes "no, I replied already".

> Does getting these these new state numbers off the bat (i.e. with no previous EAP \
> messages from the supplicant) imply the supplicant is doing something odd and \
> continuing EAP conversations without me having seen the start of them?  I linelog a \
> message every time I receive a packet (so a full authentication stream has several \
> lines) and have nothing for this supplicant aside from the above messages.=

  Each packet containing EAP has a State attribute.  The only ones missing it are the \
first one, and the last one.

> Is there any way I can log the 'EAP session state' field in my linelog from \
> previous messages so I can see if they're related to ones I've seen before?

  The State attribute is largely random garbage.  There isn't much point in logging \
that.

> One thing that does look odd is that, from this particular downstream RADIUS proxy, \
> we are seeing a lot of reauthentications (albeit mostly successful): I would \
> normally only expect to see supplicants reauthenticating occasionally, but I'm \
> often seeing things reauthenticate every 2-3 minutes, which looks a bit \
> suspiciously like there are local problems at the visited site.

  Pretty much.  If they have radio layer issues, or AP issues, supplicants will retry \
a LOT.

  Call them and tell them that their equipment is crap. :(

> Apologies if there's nothing you can really do to help me without the full debug \
> log and, if I need it, I'll try and get in touch with an affected user and see if \
> we can get it to fail - let me know and I'll come back when I have it.  Because \
> problems often only get reported after the event, I try to get as much as possible \
> logged that I can look back through easily (a full debug log probably being too \
> much), if someone reports something.

  Debug logs won't really help here.  Something in the network is broken, and it \
isn't FreeRADIUS.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic