[RADIATOR] random EAP authentication errors since 4.17
Heikki Vatiainen
hvn at open.com.au
Wed Nov 30 15:35:01 UTC 2016
On 30.11.2016 17.21, Hartmaier Alexander wrote:
> we only do machine cert authentication. Can I log the SessionContextId
> for debugging purposes to really make sure it's not the issue?
This defaults to Handler. In other words, if a full authentication was
processed by Handler A, the resumption will only work with Handler A. If
Handler B is selected, full authentication is done. If this happens, it
is not an error but a normal full authentication.
> This also happens for smartphones, mainly Apple and Android.
Do you have log messages about errors?
> I wonder if the reduced EAPContextTimeout from 1000 to 120 seconds might
> cause this when roaming from access-point to access-point?
This should only matter when it takes more than 120 seconds for the
client to respond after Radiator sends RADIUS Access-Challenge to get
the client to continue the ongoing EAP authentication. Once the
authentication has finished, this context is not required any longer.
The information required for resume is kept longer. See
EAPTLS_SessionResumptionLimit that defaults of 12 hours.
https://www.open.com.au/radiator/ref/EAPTLS_SessionResumptionLimit.html
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list