[RADIATOR] Trying to understand "EAP Response type 25, but no expected type known"

Heikki Vatiainen hvn at open.com.au
Wed Jan 21 06:14:08 CST 2015 

On 20.1.2015 22.12, Michael Hulko wrote:
> I have two new servers that I am trying to put into production for
> our eduroam users.  Both servers are identical.  Configs are
> identical (with the minor changes required to make them indentifiable
> to the outside world).  However, that is where it appears to stop.

Hello Michael,

since EAP is used, you should how the requests are distributed among the 
servers. If one of the servers is receiving, for example, EAP 25 (PEAP) 
requests but it has no previous EAP authentication state with the 
client, you will get the message you have quoted in the subject.

In other words, there was an EAP 25 response but the server had no idea 
that it had started EAP 25 authentication with the client.

What should happen is that first there is EAP 1 response which tells the 
client's EAP identity. Radiator will then respond with, for example, EAP 
25 (PEAP) start request and the next reponse from the client should be 
EAP 25 response (or NAK if the client desires some other EAP method).

> Authentications to one server fails, while authentications to the
> other server succeeds.  I am stumped.  It appears from the trace that
> the client request makes it to the first Handler but never makes it
> to the TunnlledByPeap=1 handler to finish the authentication.
>
> Attached is a trace 4 log capture and the current config.

I see that there are a number of Access-Accepts too, so my take is that 
the RADIUS messages are distributed to the two servers in such a way 
that the server that starts EAP message authentication does not get all 
the messages that are part of the whole authentication exchange. Some 
messages are sent to the other server which then logs the message in the 
subject.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list