EAP-TLS Failed in handler question

PENZ Robert Mon, 19 Nov 2012 00:31:22 -0800

Hi!

I've 802.1x (EAP-TLS) on a wired network activated, and it works 99% of the 
time ... just some authentications fail, but some minutes later the same client 
authenticates without a problem. As it happens only once every few days and 
always with a new client I cannot put a sniffer between the PC and switch, as I 
don't know which client is the next. But I enabled the debug logging on the 
freeradius server. The Clients are Windows 7 PCs and I'm running 
freeradius2-2.1.12-3.el5 on RHEL5.


My first question is, how can I decode a EAP-Message from the debug log to 
check if the request is itself ok. Here is first packet from this client in 
some time, and it already generates the error. But the same client worked 
before and after it for days without a problem:

rad_recv: Access-Request packet from host 10.xxx.xxx.4 port 44519, id=151, 
length=244
        User-Name = "host/xxxxxxxxxxxxx.tirol.local"
        EAP-Message = 
0x02ff00690d800000005f160301005a01000056030150a6115ee4ca2d9456a7fa7edad2fb1c7b221fc747eb78eb4d789ff077c48ef8000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100
        NAS-IP-Address = 10.xxx.xxx.4
        Service-Type = Login-User
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
        NAS-Port-Id = "2:3"
        NAS-Port = 2003
        NAS-Port-Type = Ethernet
        State = 0x8df2b5f98df2b8eb6e43e372671f4335
        Message-Authenticator = 0x6822006f5e7cf03d00a08b04869d19d8

and the relevant other log lines:

++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++- entering else else {...}
[eap] EAP packet type response id 255 length 105
[eap] No EAP Start, assuming it's an on-going EAP conversation
+++[eap] returns updated
++- else else returns updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group EAP {...}
rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
[eap] Failed in handler
++[eap] returns invalid

Invalid means I return a reject ... should I return something else?  Is this a 
client problem or a misconfiguration on my part? Thx for your help!


Mit freundlichen Grüßen
Robert Penz

--------------------------------------------------------------
Dipl.Inf. Robert Penz
DVT - Daten-Verarbeitung-Tirol GmbH
Adamgasse 22, 6020 Innsbruck
Tel: +43 (0)512 508 3334 / Fax: +43 (0)512 508 3355
E-Mail: robert.p...@tirol.gv.at


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TLS Failed in handler question

Reply via email to