[RADIATOR] random EAP authentication errors since 4.17

Hartmaier Alexander alexander.hartmaier at t-systems.at
Wed Nov 30 15:03:36 UTC 2016


Hi,

thanks for the quick response!

In the meantime I tried the new EAP_UseState,  didn't fix the problem
but also didn't have any negative effect. Do you recommend to already
use it?

Disabling EAP session resumption seems to have fixed the issue
(EAPTLS_SessionResumption 0).


On 2016-11-30 15:38, Tuure Vartiainen wrote:
> Hello,
>
>> On 30 Nov 2016, at 16:27, Hartmaier Alexander <alexander.hartmaier at t-systems.at> wrote:
>>
>> we have random EAP authentication errors since the upgrade to 4.17.
>> I figured it might have something to do with the EAP session resumption
>> changes in 4.17.
>>
> interesting, could you please send a trace 5 debug log for few authentication
> errors?
I would have to force the errors again by reenabling EAP session
resumption which I'd rather like not to do.
>
>> The release notes only mentions to look at EAP.pm regarding required
>> hook code changes. I guess one should now use $self->getEAPContext($p)
>> instead of $p->{EAPContext} directly.
>>
>> The problem is that $self isn't passed to any hook!
>>
>> I couldn't find an example in the goodies either.
>>
>> Please advice how to resolve this.
>>
> you can call it
>
> $p->{AuthBy}->getEAPContext($p)
>
> but the function is only available when processing $p which has EAP-Message AVP.
So it should be safe to use it in EAP specific hooks like
EAPTLS_CertificateVerifyHook and PostAuthHook in Handler that check for
TunnelledByPEAP=1?

I've changed:

my $context =  $p->{EAPContext};

to:

my $self = $p->{AuthBy};
my $context = ($main::config->{EAP_UseState})
     ? $self->getEAPContextState($p, $code, $type)
     : $self->getEAPContext($p);

as seen in EAP.pm. Should I always call getEAPContext instead? If the
above is required I'd advice to add a method doing that to EAP.pm.
The problem with getEAPContextState is that I don't have $code and $type
in my hook.

>
>
> BR
Best regards, Alex


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*


More information about the radiator mailing list