[RADIATOR] Radiator fails in distinguishing parallel EAP authentication

Tue Mar 14 09:02:13 UTC 2017

Hi Jan,

You can use the new global EAP_UseState parameter, in the 4.17 release
but maybe already in your patch level. This will make Radiator also use
the State attribute, like FreeRADIUS and NPS seem to do. Not sure about
ISE mechanics.

I've used it for a while now, and didn't see any problems with EAP_UseState.

I recently did a similar test, that's when I figured out; I didn't see
the Reject's you noticed with FreeRADIUS though. Kind of off-topic here,
but there was a bug fixed regarding TLS in EAP in the 3.0.x just before
the release of 3.0.13 that could explain this.

Mind you this is only important when your (outer) usernames are the same
(eg. anonymous). Because the username and Calling-Station-Id are used as
a key for the session.

Regards,
Paul

On 14-03-17 09:47, Jan Tomasek wrote:
> Hello,
> 
> I did some experiments and it looks that Radiator (I'm running
> 4.16.1839-3) is only RADIUS servery which rely on Calling-Station-Id
> attribute when dealing with parallel EAP authentication.
> 
> I've this setup:
> 
> Client ---> Radiator --+--> FreeRADIUS v3
>                        +--> Cisco ISE 2.1
>                        \--> MS NPS
> 
> Client is executing 20 parallel requests:
> 
> for i in `seq 15 35`
> do
>   (/usr/local/rad_eap_test-git/rad_eap_test -H Radiator -P 1812 -S xx -u
> xx -p xx -e PEAP -m WPA-EAP -t 15 -M 00:50:56:c0:00:$i ) &
> done
> 
> Requests are being processed by Radiator or being forwarded to
> FreeRADIS, ISE or NPS based on realm of username. Client definition on
> Radiator is used to strip Calling-Station-Id. Results
> 
> With Calling-Station-Id enabled:
> 
> Radiator:     21x access-accept within 1s
> FreeRADIUSv3: 18x access-accept time vary 1-5s; 3x access-reject ~11s
> Cisco ISE:    21x access-accept within 1s
> MS NPS:       21x access-accept within 1s
> 
> With Calling-Station-Id striped:
> 
> Radiator:     21x access-reject within 1s *
> FreeRADIUSv3: 20x access-accept time vary 2-5s; 1x access-reject 8s
> Cisco ISE:    21x access-accept within 1s
> MS NPS:       21x access-accept within 1s
> 
> * in logs Radiator prints:
>> Tue Mar 14 07:43:44 2017: ERR: EAP TLS error: -1, 1, 8466,  8623: 1 -
>> error:140A1159:SSL routines:SSL_BYTES_TO_CIPHER_LIST:scsv received
>> when renegotiating
>>
>> Tue Mar 14 07:43:44 2017: DEBUG: EAP Failure, elapsed time 0.043436
>> Tue Mar 14 07:43:44 2017: DEBUG: EAP result: 1, EAP PEAP TLS error
>> Tue Mar 14 07:43:44 2017: DEBUG: AuthBy LDAP2 result: REJECT, EAP PEAP
>> TLS error
> 
> Do have anyone any idea what techniques for distinguishing parallel EAP
> authentication is FreeRADIUS or maybe better ISE & NPS using, that they
> are behaving much better?
> 
> Best regards