EAP State identical in two Access-Challenges

Thu, 25 Mar 2004 08:26:27 -0800 

Hi all,

A quick Google search revealed nothing here, though I
might have chosen just the wrong words :) Apologies if
I did.

I'm experimenting with an EAP type that I added to
FreeRADIUS 0.9.0. We are trying to go through about
100000 successful authentications in rapid
successsion. At about 40000, something very strange
happens. It seems that two unrelated authentications
(using the same EAP type) are setting the same State
attribute in their Access-Challenge packets.

Here is a (snipped) excerpt from part of the radius
output:

<log>
identity: [EMAIL PROTECTED]
sim_initiate: finished
  rlm_eap: Underlying EAP-Type set EAP ID to 238
  modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 90 to
163.188.170.16:62472
        EAP-Message =
0x01ee0010120a00000f02000200010000
        Message-Authenticator =
0x00000000000000000000000000000000
        State =
0x0f1af402eb1f07594b5fe13df44ab50131246240a962d51130d099d450d494e1b8574243
</log>

And here is another (snipped) excerpt from another
part of the radius log file:

<log>
identity: [EMAIL PROTECTED]
found permanent user, 1708
sim_initiate: finished
  rlm_eap: Underlying EAP-Type set EAP ID to 238
  modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 196 to
163.188.170.16:62534
        EAP-Message =
0x01ee0010120a00000f02000200010000
        Message-Authenticator =
0x00000000000000000000000000000000
        State =
0x0f1af402eb1f07594b5fe13df44ab50131246240a962d51130d099d450d494e1b8574243
</log>

As you can see, the EAP id and State attributes are
the same, and since the load testing is done from one
client, I'm getting the wrong EAP_HANDLER passed back
to me in the eap_authenticate() method (rlm_eap uses
the state, eapid and client ip address to map
Access-Request to existing authentication sessions).

I looked at the code which generates the state and it
doesn't look as if it intends for the state attribute
to ever be the same for two packets.

Any ideas? Has this been fixed in later versions?

Thanks in advance...

Desmond


__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to