Debugging No EAP session matching the State variable
I run two freeradius servers (both 2.2.0 x86_64) with MySQL backends doing ntlm_auth (RHEL 6 Samba 3.6.9) for EAP-PEAP-MSChapV2 for our client devices. I have enabled the server debug using radmin (the debug file is HUGE so that is why I am not posting it along with). I have googled and read and analyzed as much as I can so I am looking to the list to see if anyone has experienced this problem. I was concentrating on a single user mhaley: Sep 16 08:40:33 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:40:42 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:40:42 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:40:54 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:40:54 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:41:22 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:41:22 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:41:33 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:41:33 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:41:49 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:41:49 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:42:08 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:42:08 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:42:12 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:42:12 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 08:42:15 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 08:42:15 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client resnet1-WiSM-A port 13 cli 3c:e0:72:a5:b7:81) Sep 16 09:57:56 newdvlanb radiusd[15211]: Invalid user: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81) Sep 16 09:58:01 newdvlanb radiusd[15211]: Invalid user: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81) Sep 16 09:58:57 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 09:58:57 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81) Sep 16 10:03:42 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 10:03:42 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81) Sep 16 10:03:49 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 10:03:54 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81) Sep 16 10:06:09 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 10:06:09 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81) Sep 16 10:36:10 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81 via TLS tunnel) Sep 16 10:36:10 newdvlanb radiusd[15211]: Login OK: [mhaley7] (from client Rich-core-WiSM-C port 13 cli 3c:e0:72:a5:b7:81) Around there (without the OK's, I am seeing many of this style of message): Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [jwalters38] (from client resnet1-WiSM-A port 13 cli a8:26:d9:34:bc:5f) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [arogers44] (from client Rich-core-WiSM-E port 29 cli a8:06:00:cc:6b:29) Sep 16 09:57:56 newdvlanb radiusd[15211]: Invalid user: [mhaley7] (from client Rich-core-WiSM-E port 29 cli 3c:e0:72:a5:b7:81) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [bboggess3] (from client Rich-core-WiSM-E port 29 cli
Re: Debugging No EAP session matching the State variable
Hi, Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. turn on full debug for just a single User-Name or Calling-Station-Id (check radmin docs). whats your authentication clean-up/tidy up times - as if the clients dont respond then the session is cleared away and so no matching state/session will be found. also, what clients are these? Android, for example, has an annoying thign where 802.1X networks that have credentials stored need the credential store to be unlocked before they'll authenticate to that 802.1X network again. also, check your wireless domain. find some of these clients (CSI) on your wireless management dashboard and find out what their relationship with nearest APs is - they could be being mobile between APs in a nasty way or during authencication so a packet or 2 is mising. remmeber, with eg 802.1X and PEAP you've got 11 packets or more to be shunted over wireless (and UDP!) for an authentication. if you've allowed clients to join to APs at really low rates and borderline connections, this can cause grief. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
