Help troubleshooting No EAP session matching...

classic Classic list List threaded Threaded
17 messages Options
| Threaded
Open this post in threaded view
|

Help troubleshooting No EAP session matching...

DaveA
Hi List,

During periods of high load, we are seeing many messages like the following:

radiusd[28187]: rlm_eap: No EAP session matching the State variable.

I understand the meaning of the message, but I need some assistance on
how to go about locating the source of the problem.

During peak times, we have about 8K wireless logins per minute, for
extended periods. We have 6 wireless controllers, from which the
Access-Requests are sent. Due to the high load, I am unable to run the
server with -X, because it gets crushed while running single threaded. I
can use radmin, but I'm not sure what to set the debug condition to.

I don't see any errors about child processes being hung, or
winbind/ntlm_auth taking too long.

Some values which may be relevant:

radiusd.conf: max_request_time = 30
radiusd.conf: cleanup_delay = 5
radiusd.conf: max_requests = 8000000 #about 30K wireless users at peak *
256 ~= 8million
radiusd.conf: start_servers = 5
radiusd.conf: max_servers = 32
radiusd.conf: min_spare_servers = 3
radiusd.conf: max_spare_servers = 10
radiusd.conf: #       max_queue_size = 65536 (unsure why this is
commented out)

mods-enabled/eap: timer_expire = 60
mods-enabled/eap: cache = disabled

$ openssl speed rsa2048
Doing 2048 bit private rsa's for 10s: 5263 2048 bit private RSA's in 10.01s
Doing 2048 bit public rsa's for 10s: 176233 2048 bit public RSA's in 10.00s

OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon May  2 06:13:20 EDT 2016
options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int)
aes(partial) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2
-g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM

                   sign    verify    sign/s verify/s
rsa 2048 bits 0.001902s 0.000057s    525.8  17623.3

So, a couple questions:

1. Is there a way to get more info along with the message "rlm_eap: No
EAP session matching the State variable." ?
     - eg. Which NAS it came from, calling-station-id, etc.

2. Are the aforementioned values OK?

Any advice would be appreciated.

Regards,
Dave

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help troubleshooting No EAP session matching...

Alan DeKok-2
On Sep 15, 2016, at 9:57 AM, Dave Aldwinckle <[hidden email]> wrote:
>
> During periods of high load, we are seeing many messages like the following:
>
> radiusd[28187]: rlm_eap: No EAP session matching the State variable.
>
> I understand the meaning of the message, but I need some assistance on how to go about locating the source of the problem.

  If it's high load, the problem is starvation.  Either the CPU is overloaded, or the back-end is overloaded.

> During peak times, we have about 8K wireless logins per minute, for extended periods. We have 6 wireless controllers, from which the Access-Requests are sent. Due to the high load, I am unable to run the server with -X, because it gets crushed while running single threaded. I can use radmin, but I'm not sure what to set the debug condition to.
>
> I don't see any errors about child processes being hung, or winbind/ntlm_auth taking too long.

  Yeah, ntlm_auth typically maxes out at 100 to 200 authentications per second.  That's likely the problem.

> $ openssl speed rsa2048
> Doing 2048 bit private rsa's for 10s: 5263 2048 bit private RSA's in 10.01s
> Doing 2048 bit public rsa's for 10s: 176233 2048 bit public RSA's in 10.00s

  The server should be able to do 1000 or more EAP authentications per second.

> So, a couple questions:
>
> 1. Is there a way to get more info along with the message "rlm_eap: No EAP session matching the State variable." ?
>    - eg. Which NAS it came from, calling-station-id, etc.

  The NAS information is in the other attributes.  You can look at the post-auth-type Reject to log things.

> 2. Are the aforementioned values OK?

  They're fine.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help troubleshooting No EAP session matching...

Matthew Newton
On Thu, Sep 15, 2016 at 10:16:19AM -0400, Alan DeKok wrote:
> On Sep 15, 2016, at 9:57 AM, Dave Aldwinckle <[hidden email]> wrote:
> > During peak times, we have about 8K wireless logins per minute, for extended periods. We have 6 wireless controllers, from which the Access-Requests are sent. Due to the high load, I am unable to run the server with -X, because it gets crushed while running single threaded. I can use radmin, but I'm not sure what to set the debug condition to.
> >
> > I don't see any errors about child processes being hung, or winbind/ntlm_auth taking too long.
>
>   Yeah, ntlm_auth typically maxes out at 100 to 200 authentications per second.  That's likely the problem.

In my experience, around 30-40... but does depend on hardware.

Could try using libwbclient with recent FreeRADIUS - see
winbind_username/winbind_domain in mods-available/mschap. It might
help; it should be a bit quicker than calling out to ntlm_auth.

Recent versions of Samba should be better as well IIRC.

Matthew


--
Matthew Newton, Ph.D. <[hidden email]>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <[hidden email]>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help troubleshooting No EAP session matching...

Alan DeKok-2
On Sep 15, 2016, at 10:21 AM, Matthew Newton <[hidden email]> wrote:
> In my experience, around 30-40... but does depend on hardware.
>
> Could try using libwbclient with recent FreeRADIUS - see
> winbind_username/winbind_domain in mods-available/mschap. It might
> help; it should be a bit quicker than calling out to ntlm_auth.
>
> Recent versions of Samba should be better as well IIRC.

  Even better, enable TLS session caching.  It's easier to do in v3.1.x, but even v3.0.x should be OK.

  That takes the load off of AD, and also FreeRADIUS.  I've seen many 1000's of sessions resumed per second.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help troubleshooting No EAP session matching...

A.L.M.Buxey
In reply to this post by DaveA
Hi,

> During periods of high load, we are seeing many messages like the following:
>
> radiusd[28187]: rlm_eap: No EAP session matching the State variable.

RADIUS protocol only allows a certain number of auths to be 'being handled' from
a NAS - I'm going to guess you are using Cisco controllers?   the joy of them using just
one single NAS port as the ID - no extended IDs - thus all those hundreds of APs
are just the one client :/

> During peak times, we have about 8K wireless logins per minute, for
> extended periods. We have 6 wireless controllers, from which the
> Access-Requests are sent. Due to the high load, I am unable to run
> the server with -X, because it gets crushed while running single
> threaded. I can use radmin, but I'm not sure what to set the debug
> condition to.

most sites find they hit some magic numbers.... upgrading to new code on controller
might help (eg cisco moved to using new NAS port ID for the accounting traffic...double
your throughput then...) - then you hit a higher level...as we did...

the other big issue is ntlm_auth  is does take quite some time and is a mix of CPU-bound and
server bound - basically you'll find it sticks like glue with older SAMBAs to just one of the
KDC entries in AD.

> radiusd.conf: max_request_time = 30
> radiusd.conf: cleanup_delay = 5
> radiusd.conf: max_requests = 8000000 #about 30K wireless users at
> peak * 256 ~= 8million

max_requests , please note: This should be 256 multiplied by the number of clients - this
is clients of the RADIUS server - ie NAS devices... 'those' clients, not wireless clients.
hence this number should be more like 256 x 6 !!  ;-)


> radiusd.conf: #       max_queue_size = 65536 (unsure why this is
> commented out)

its commented out by default IIRC - you could try tweaking...but if somethings in the
queue it hasnt really been handled - eg I believe its entry will not have
been added to state table etc.....

how many CPUs and cores? you could try increasing the number of threads to eg 64 if you have the
cores for the threads

> mods-enabled/eap: timer_expire = 60
> mods-enabled/eap: cache = disabled

and you really should be using the cache capability. this dramatically improves the re-auth time of
clients - hence shortcutting them

> 1. Is there a way to get more info along with the message "rlm_eap:
> No EAP session matching the State variable." ?
>     - eg. Which NAS it came from, calling-station-id, etc.


you can add extra logging eg with linelog or detail log (reject log here)

for debugging you can just debug particular clients (NAS) or end user clients - just follow the instructions
for commands as given by 'man radmin' - you may want to up the debug log level to 5 if you dont get enough info.


is this box running ina  VM? the UDP performance isnt quite so good, you need a few tweaks to that part.

 I would advise looking at new features available in 3.1.x - the native winbind client - VERY fast and nice...and
the caching is improved.  

you can ALSO help things out by using the 'QoS' packet handler "queue_priority" - setting that to EAP will
ensure that those requests that are further along the EAP process will be handled first - which is nice for
those auths that have already dealt with eg 8 or 9 of the RADIUS responses out of 11...rather than failing
at that late stage....

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help troubleshooting No EAP session matching...

DaveA
Thanks for all of the responses. There is a lot of useful info here.

- Aruba controllers, so yes, about 4500 APs on 6 clients (good note
about max_requests)
- Will look into updating Samba, right now we are running 3.6, so too
old to use the winbind_* stuff from mschap
- Will add logging as suggested to auth type reject
- Will trial eap:caching
- We are running 3.0.10, which I understand is old. I may look into
upgrading to 3.1, but I was hoping the next upgrade would be 4.0.

The box is a VM, what did you mean by this?

 > is this box running ina  VM? the UDP performance isnt quite so good,
you need a few tweaks to that part.

Thanks again!


Dave

On 16-09-15 02:44 PM, [hidden email] wrote:

> Hi,
>
>> During periods of high load, we are seeing many messages like the following:
>>
>> radiusd[28187]: rlm_eap: No EAP session matching the State variable.
> RADIUS protocol only allows a certain number of auths to be 'being handled' from
> a NAS - I'm going to guess you are using Cisco controllers?   the joy of them using just
> one single NAS port as the ID - no extended IDs - thus all those hundreds of APs
> are just the one client :/
>
>> During peak times, we have about 8K wireless logins per minute, for
>> extended periods. We have 6 wireless controllers, from which the
>> Access-Requests are sent. Due to the high load, I am unable to run
>> the server with -X, because it gets crushed while running single
>> threaded. I can use radmin, but I'm not sure what to set the debug
>> condition to.
> most sites find they hit some magic numbers.... upgrading to new code on controller
> might help (eg cisco moved to using new NAS port ID for the accounting traffic...double
> your throughput then...) - then you hit a higher level...as we did...
>
> the other big issue is ntlm_auth  is does take quite some time and is a mix of CPU-bound and
> server bound - basically you'll find it sticks like glue with older SAMBAs to just one of the
> KDC entries in AD.
>
>> radiusd.conf: max_request_time = 30
>> radiusd.conf: cleanup_delay = 5
>> radiusd.conf: max_requests = 8000000 #about 30K wireless users at
>> peak * 256 ~= 8million
> max_requests , please note: This should be 256 multiplied by the number of clients - this
> is clients of the RADIUS server - ie NAS devices... 'those' clients, not wireless clients.
> hence this number should be more like 256 x 6 !!  ;-)
>
>
>> radiusd.conf: #       max_queue_size = 65536 (unsure why this is
>> commented out)
> its commented out by default IIRC - you could try tweaking...but if somethings in the
> queue it hasnt really been handled - eg I believe its entry will not have
> been added to state table etc.....
>
> how many CPUs and cores? you could try increasing the number of threads to eg 64 if you have the
> cores for the threads
>
>> mods-enabled/eap: timer_expire = 60
>> mods-enabled/eap: cache = disabled
> and you really should be using the cache capability. this dramatically improves the re-auth time of
> clients - hence shortcutting them
>
>> 1. Is there a way to get more info along with the message "rlm_eap:
>> No EAP session matching the State variable." ?
>>      - eg. Which NAS it came from, calling-station-id, etc.
>
> you can add extra logging eg with linelog or detail log (reject log here)
>
> for debugging you can just debug particular clients (NAS) or end user clients - just follow the instructions
> for commands as given by 'man radmin' - you may want to up the debug log level to 5 if you dont get enough info.
>
>
> is this box running ina  VM? the UDP performance isnt quite so good, you need a few tweaks to that part.
>
>   I would advise looking at new features available in 3.1.x - the native winbind client - VERY fast and nice...and
> the caching is improved.
>
> you can ALSO help things out by using the 'QoS' packet handler "queue_priority" - setting that to EAP will
> ensure that those requests that are further along the EAP process will be handled first - which is nice for
> those auths that have already dealt with eg 8 or 9 of the RADIUS responses out of 11...rather than failing
> at that late stage....
>
> alan
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help troubleshooting No EAP session matching...

Matthew Newton
On Fri, Sep 16, 2016 at 07:44:24AM -0400, Dave Aldwinckle wrote:
> - Will look into updating Samba, right now we are running 3.6, so too old to
> use the winbind_* stuff from mschap

Yes, Samba 4 is better. 3.6 is years out of support as well.

> - We are running 3.0.10, which I understand is old. I may look into
> upgrading to 3.1, but I was hoping the next upgrade would be 4.0.

3.0.10 is one behind current stable release, so pretty good. 4.0
is development version, you really don't want to be running that.
3.1 is sort of half way, but still devel and not necessarily
stable. Unlikely to give you much benefit over 3.0 unless you need
some of the newer features.

> The box is a VM, what did you mean by this?
>
> > is this box running ina  VM? the UDP performance isnt quite so
> > good, you need a few tweaks to that part.

We run all our RADIUS servers as Xen VMs. Never tweaked anything
regarding this here.

Matthew


--
Matthew Newton, Ph.D. <[hidden email]>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <[hidden email]>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help troubleshooting No EAP session matching...

A.L.M.Buxey
Hi,

> We run all our RADIUS servers as Xen VMs. Never tweaked anything
> regarding this here.

well, that'll be why you have problems then! ;-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help troubleshooting No EAP session matching...

A.L.M.Buxey
In reply to this post by DaveA
Hi,

> - We are running 3.0.10, which I understand is old. I may look into
> upgrading to 3.1, but I was hoping the next upgrade would be 4.0.

3.1.x is the 'old' feature track - now taken up by 4.0.x - but 4.0.x is very
vbleeding edge and having massive changes..... a 3.0.x config is quite
quick to upgrade to a 3.1.x config.

> The box is a VM, what did you mean by this?

you need to read the docs/guides for network (especially UDP) performance
for your chosen VM platform - there are OS tweaks/guides for Xen, VMware,
Hyper-V, EC2 etc.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help troubleshooting No EAP session matching...

Alan DeKok-2
On Sep 16, 2016, at 9:39 AM, [hidden email] wrote:
>
>> - We are running 3.0.10, which I understand is old. I may look into
>> upgrading to 3.1, but I was hoping the next upgrade would be 4.0.
>
> 3.1.x is the 'old' feature track - now taken up by 4.0.x - but 4.0.x is very
> vbleeding edge and having massive changes..... a 3.0.x config is quite
> quick to upgrade to a 3.1.x config.

  I'm about to drop v4 on the floor, shake it up, and put it back together again. :(

  Porting configs from v3.0 /v3.1 to v4 will take some effort.  The modules will be 99% similar.  The contents of "authorize", etc. will be 99% similar.  The names of the processing sections will change, and the "listen" sections will change.

  It will all be very mechanical edits, but it's tedious.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help troubleshooting No EAP session matching...

A.L.M.Buxey
Hi,

>   Porting configs from v3.0 /v3.1 to v4 will take some effort.  The modules will be 99% similar.  The contents of "authorize", etc. will be 99% similar.  The names of the processing sections will change, and the "listen" sections will change.
>
>   It will all be very mechanical edits, but it's tedious.

whilst I'd strongly advise that orgs migrate by reading their configs and reimplementing
(which gives them better understanding of the process and allows them to do things in a better way)
I was planning on a simple script to convert the section names from old name to new name  ;-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help troubleshooting No EAP session matching...

DaveA
I always prefer to do a re-write of the configs when upgrading. I find
the end result is much cleaner, easier to understand, and performs better.

I'm still having a problem matching "No EAP session matching state" to a
particular user or request. The linelog below works, but it doesn't seem
to trigger at the same time that "No EAP session matching state" does. I
thought about moving log_state to sites-enabled/default, but "    #  The
"session-state" attributes are not available here" so now I'm lost again.


linelog log_state {

         format = "Rejected user: %{outer.request:User-Name} with State
ID %{State} from NAS %{outer.request:NAS-IP-Address}"
         filename = syslog
         syslog_facility = news
}


sites-enabled/inner-tunnel

         Post-Auth-Type REJECT {
                 attr_filter.access_reject

                 #
                 #  Let the outer session know which module failed, and why.
                 #

                 update outer.session-state {
                         &Module-Failure-Message :=
&request:Module-Failure-Message
                 }
                 log_state
         }


Off-topic, but related: This particular bit "&Module-Failure-Message :=
&request:Module-Failure-Message" is populated with the first ERROR that
the mschap module spits out, which for us is always "No NT-Domain was
found in the User-Name." Since none of our User-Names have NT domains in
them, the message is confusing. Is there any way to include the other
errors? "Program returned code (1) and output 'Logon failure
(0xc000006d)" would be a good one:

(72) mschap: Creating challenge hash with username: [hidden email]
(72) mschap: Client is using MS-CHAPv2
(72) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--domain=%{%{mschap:NT-Domain}:-NEXUS}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(72) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(72) mschap:    --> --username=nstestnexus
(72) mschap: ERROR: No NT-Domain was found in the User-Name
(72) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-NEXUS}
(72) mschap:    --> --domain=NEXUS
(72) mschap: Creating challenge hash with username: [hidden email]
(72) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(72) mschap:    --> --challenge=8953cfebb40e879e
(72) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(72) mschap:    -->
--nt-response=f849c79ecfbba60fe76fe6e688b24d9a0f13eadb23632ef6
(72) mschap: ERROR: Program returned code (1) and output 'Logon failure
(0xc000006d)'
(72) mschap: External script failed
(72) mschap: ERROR: External script says: Logon failure (0xc000006d)
(72) mschap: ERROR: MS-CHAP2-Response is incorrect

Thanks,

Dave

Dave Aldwinckle
Network Services
Information Systems & Technology
University of Waterloo
(519)-888-4567, x41145

On 16-09-16 09:52 AM, [hidden email] wrote:

> Hi,
>
>>    Porting configs from v3.0 /v3.1 to v4 will take some effort.  The modules will be 99% similar.  The contents of "authorize", etc. will be 99% similar.  The names of the processing sections will change, and the "listen" sections will change.
>>
>>    It will all be very mechanical edits, but it's tedious.
> whilst I'd strongly advise that orgs migrate by reading their configs and reimplementing
> (which gives them better understanding of the process and allows them to do things in a better way)
> I was planning on a simple script to convert the section names from old name to new name  ;-)
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help troubleshooting No EAP session matching...

Matthew Newton
On Fri, Sep 16, 2016 at 10:37:13AM -0400, Dave Aldwinckle wrote:

> Off-topic, but related: This particular bit "&Module-Failure-Message :=
> &request:Module-Failure-Message" is populated with the first ERROR that the
> mschap module spits out, which for us is always "No NT-Domain was found in
> the User-Name." Since none of our User-Names have NT domains in them, the
> message is confusing. Is there any way to include the other errors? "Program
> returned code (1) and output 'Logon failure (0xc000006d)" would be a good
> one:
>
> (72) mschap: Creating challenge hash with username: [hidden email]
> (72) mschap: Client is using MS-CHAPv2
> (72) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --domain=%{%{mschap:NT-Domain}:-NEXUS}

Set this to "--domain=NEXUS" instead? It's the expansion of the
mschap:NT-Domain that's causing the error.

You should be able to get the other errors by looking at
&Module-Failure-Message[1], &Module-Failure-Message[2], etc, I
think?

Matthew


--
Matthew Newton, Ph.D. <[hidden email]>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <[hidden email]>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help troubleshooting No EAP session matching...

Matthew Newton
In reply to this post by A.L.M.Buxey
On Fri, Sep 16, 2016 at 01:37:14PM +0000, [hidden email] wrote:
> > We run all our RADIUS servers as Xen VMs. Never tweaked anything
> > regarding this here.
>
> well, that'll be why you have problems then! ;-)

Haven't currently got any problems :-P

Matthew


--
Matthew Newton, Ph.D. <[hidden email]>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <[hidden email]>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help troubleshooting No EAP session matching...

DaveA
In reply to this post by Matthew Newton
That did it!

  radiusd[28517]: (1691)   Login incorrect (mschap: Program returned
code (1) and output 'Logon failure (0xc000006d)'): [someuser] (from
client prod1-east.eduroam.ca port 0 via TLS tunnel)

Thanks.

On 16-09-16 10:46 AM, Matthew Newton wrote:

> On Fri, Sep 16, 2016 at 10:37:13AM -0400, Dave Aldwinckle wrote:
>> Off-topic, but related: This particular bit "&Module-Failure-Message :=
>> &request:Module-Failure-Message" is populated with the first ERROR that the
>> mschap module spits out, which for us is always "No NT-Domain was found in
>> the User-Name." Since none of our User-Names have NT domains in them, the
>> message is confusing. Is there any way to include the other errors? "Program
>> returned code (1) and output 'Logon failure (0xc000006d)" would be a good
>> one:
>>
>> (72) mschap: Creating challenge hash with username: [hidden email]
>> (72) mschap: Client is using MS-CHAPv2
>> (72) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
>> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
>> --domain=%{%{mschap:NT-Domain}:-NEXUS}
> Set this to "--domain=NEXUS" instead? It's the expansion of the
> mschap:NT-Domain that's causing the error.
>
> You should be able to get the other errors by looking at
> &Module-Failure-Message[1], &Module-Failure-Message[2], etc, I
> think?
>
> Matthew
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help troubleshooting No EAP session matching...

Matthew Newton
On Fri, Sep 16, 2016 at 11:07:19AM -0400, Dave Aldwinckle wrote:
> That did it!

Good

>  radiusd[28517]: (1691)   Login incorrect (mschap: Program returned code (1)
> and output 'Logon failure (0xc000006d)'): [someuser] (from client
> prod1-east.eduroam.ca port 0 via TLS tunnel)

FWIW, if you use the winbind client stuff in the latest FR/Samba,
you get much nicer error reporting. None of the "program returned
code" stuff, as it's not running a program.

Matthew


--
Matthew Newton, Ph.D. <[hidden email]>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <[hidden email]>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help troubleshooting No EAP session matching...

A.L.M.Buxey
Hi,

> FWIW, if you use the winbind client stuff in the latest FR/Samba,
> you get much nicer error reporting. None of the "program returned
> code" stuff, as it's not running a program.

+1

and its FASTER!  :)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html