firmware bug: radius request retransmission misses eap-state, freeradius responses with reject
Hello,
I found a firmware bug that causes 802.1x authentication failure for wired clients. Affected are all switch devices. The EAP device does not have this bug.
Affected are all my switches I do have:
Please see the following thread
https://community.tp-link.com/en/business/forum/topic/816396?replyId=1550434
for answer to these questions:
1. A screenshot of the Device page of your controller so we would know the models, versions of the Omada devices you are using;
2. the screenshots of the config page mentioned in the FAQ;
3. What IP address will the wireless clients get?
4. Are you using an external Radius server?
5. the topology of the network.
Information to reproduce the issue:
When there is load on the radius server, so that the switch experiences a timeout and does a retransmission then the 802.1x authentication fails.
When the timeout does not happen on the switch, then there is no retransmission and the 802.1x authentication is successful.
I show the tcpdump with the retransmission and then the freeradius debug output how it acts that leads to the authentication failure.
The tcpdump without the retransmission is identical except that the two retransmission packets are not there.
Here is the tcpdump output (10.0.0.3 is the switch, 10.1.2.1 is the freeradius server):
10:03:18.097139 IP 10.0.0.3.44864 > 10.1.2.1.radius: RADIUS, Access-Request (1), id: 0x01 length: 148
10:03:18.098793 IP 10.1.2.1.radius > 10.0.0.3.44864: RADIUS, Access-Challenge (11), id: 0x01 length: 64
10:03:18.104598 IP 10.0.0.3.44864 > 10.1.2.1.radius: RADIUS, Access-Request (1), id: 0x02 length: 305
10:03:18.118119 IP 10.1.2.1.radius > 10.0.0.3.44864: RADIUS, Access-Challenge (11), id: 0x02 length: 1064
10:03:18.121420 IP 10.0.0.3.44864 > 10.1.2.1.radius: RADIUS, Access-Request (1), id: 0x03 length: 150
10:03:18.123021 IP 10.1.2.1.radius > 10.0.0.3.44864: RADIUS, Access-Challenge (11), id: 0x03 length: 1064
10:03:18.126122 IP 10.0.0.3.44864 > 10.1.2.1.radius: RADIUS, Access-Request (1), id: 0x04 length: 150
10:03:18.127202 IP 10.1.2.1.radius > 10.0.0.3.44864: RADIUS, Access-Challenge (11), id: 0x04 length: 1064
10:03:18.130256 IP 10.0.0.3.44864 > 10.1.2.1.radius: RADIUS, Access-Request (1), id: 0x05 length: 150
10:03:18.131490 IP 10.1.2.1.radius > 10.0.0.3.44864: RADIUS, Access-Challenge (11), id: 0x05 length: 1064
10:03:18.134736 IP 10.0.0.3.44864 > 10.1.2.1.radius: RADIUS, Access-Request (1), id: 0x06 length: 150
10:03:18.135895 IP 10.1.2.1.radius > 10.0.0.3.44864: RADIUS, Access-Challenge (11), id: 0x06 length: 128
10:03:18.148085 IP 10.0.0.3.44864 > 10.1.2.1.radius: RADIUS, Access-Request (1), id: 0x07 length: 280
10:03:18.150682 IP 10.1.2.1.radius > 10.0.0.3.44864: RADIUS, Access-Challenge (11), id: 0x07 length: 119
10:03:18.153543 IP 10.0.0.3.44864 > 10.1.2.1.radius: RADIUS, Access-Request (1), id: 0x08 length: 227 <-- first request id 8
10:03:27.152999 IP 10.0.0.3.44864 > 10.1.2.1.radius: RADIUS, Access-Request (1), id: 0x09 length: 209 <-- retransmission id 9
10:03:28.154936 IP 10.1.2.1.radius > 10.0.0.3.44864: RADIUS, Access-Reject (3), id: 0x09 length: 38 <-- retransmission id 9 reject
10:03:30.354898 IP 10.1.2.1.radius > 10.0.0.3.44864: RADIUS, Access-Accept (2), id: 0x08 length: 61 <-- first request id 8 is accepted
The freeradius debug output with the packet ids 8 and 9.
This is the first request with id 8:
authentik-freeradius-1 | (7) Received Access-Request Id 8 from 10.0.0.3:47557 to 10.1.2.1:1812 length 227
authentik-freeradius-1 | (7) User-Name = "apple_lan_thatsme"
authentik-freeradius-1 | (7) EAP-Message = 0x020900531580000000491703030044fc65f797940844200121d6c214b4a943f011737e57d2eeeae303c0666a780b06e91ec17969d06d766156de5ab0dc4ee3d6ba2ed668e67021d2a2ce6bc9799c8a5759eb1f
authentik-freeradius-1 | (7) NAS-IP-Address = 10.0.0.3
authentik-freeradius-1 | (7) NAS-Port = 2
authentik-freeradius-1 | (7) NAS-Identifier = "DC6279CF8CB4"
authentik-freeradius-1 | (7) Service-Type = Framed-User
authentik-freeradius-1 | (7) Calling-Station-Id = "00-E0-4C-68-20-7E"
authentik-freeradius-1 | (7) NAS-Port-Type = Ethernet
Here comes the retransmission id 9
authentik-freeradius-1 | (8) Received Access-Request Id 9 from 10.0.0.3:47557 to 10.1.2.1:1812 length 209
authentik-freeradius-1 | (8) User-Name = "apple_lan_thatsme"
authentik-freeradius-1 | (8) EAP-Message = 0x020900531580000000491703030044fc65f797940844200121d6c214b4a943f011737e57d2eeeae303c0666a780b06e91ec17969d06d766156de5ab0dc4ee3d6ba2ed668e67021d2a2ce6bc9799c8a5759eb1f
authentik-freeradius-1 | (8) } # policy filter_username = notfound
authentik-freeradius-1 | (8) [preprocess] = ok
authentik-freeradius-1 | (8) [chap] = noop
authentik-freeradius-1 | (8) suffix: Checking for suffix after "@"
authentik-freeradius-1 | (8) suffix: No '@' in User-Name = "apple_lan_thatsme", looking up realm NULL
authentik-freeradius-1 | (8) suffix: No such realm "NULL"
authentik-freeradius-1 | (8) [suffix] = noop
authentik-freeradius-1 | (8) if (User-Name && !User-Password) {
authentik-freeradius-1 | (8) } # authorize = ok
authentik-freeradius-1 | (8) Found Auth-Type = eap
authentik-freeradius-1 | (8) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (8) authenticate {
authentik-freeradius-1 | (8) eap: ERROR: EAP requires the State attribute to work, but no State exists in the Access-Request packet.
!!This is the firmware bug in the retransmission packet as told by freeradius!!
authentik-freeradius-1 | (8) eap: ERROR: The RADIUS client is broken. No amount of changing FreeRADIUS will fix the RADIUS client.
authentik-freeradius-1 | (8) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
authentik-freeradius-1 | (8) eap: Failed in handler
authentik-freeradius-1 | (8) [eap] = invalid
authentik-freeradius-1 | (8) } # authenticate = invalid
authentik-freeradius-1 | (8) Failed to authenticate the user
Freeradius gives up and denies the user as consequence.
authentik-freeradius-1 | (8) Using Post-Auth-Type Reject
authentik-freeradius-1 | (8) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (8) Post-Auth-Type REJECT {
authentik-freeradius-1 | (8) attr_filter.access_reject: EXPAND %{User-Name}
authentik-freeradius-1 | (8) attr_filter.access_reject: --> apple_lan_thatsme
authentik-freeradius-1 | (8) attr_filter.access_reject: Matched entry DEFAULT at line 11
authentik-freeradius-1 | (8) [attr_filter.access_reject] = updated
authentik-freeradius-1 | (8) eap: ERROR: EAP requires the State attribute to work, but no State exists in the Access-Request packet.
authentik-freeradius-1 | (8) eap: ERROR: The RADIUS client is broken. No amount of changing FreeRADIUS will fix the RADIUS client.
authentik-freeradius-1 | (8) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
authentik-freeradius-1 | (8) eap: Failed to get handler, probably already removed, not inserting EAP-Failure
authentik-freeradius-1 | (8) [eap] = noop
authentik-freeradius-1 | (8) policy remove_reply_message_if_eap {
authentik-freeradius-1 | (8) if (&reply:EAP-Message && &reply:Reply-Message) {
authentik-freeradius-1 | (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
authentik-freeradius-1 | (8) else {
authentik-freeradius-1 | (8) [noop] = noop
authentik-freeradius-1 | (8) } # else = noop
authentik-freeradius-1 | (8) } # policy remove_reply_message_if_eap = noop
authentik-freeradius-1 | (8) Delaying response for 1.000000 seconds
authentik-freeradius-1 | Waking up in 0.3 seconds.
authentik-freeradius-1 | Waking up in 0.6 seconds.
authentik-freeradius-1 | (8) Sending delayed response
authentik-freeradius-1 | (8) Sent Access-Reject Id 9 from 10.1.2.1:1812 to 10.0.0.3:47557 length 38
Here the switch receives the reject that leads to the 802.1x authentication failure.
When the retransmission does not happen then the switch does not get the reject.
Here is the Accept response to the first request with id 8:
authentik-freeradius-1 | (7) Sent Access-Accept Id 8 from 10.1.2.1:1812 to 10.0.0.3:47557 length 61
authentik-freeradius-1 | (7) Framed-MTU += 994
authentik-freeradius-1 | (7) Tunnel-Type = VLAN
authentik-freeradius-1 | (7) Tunnel-Medium-Type = IEEE-802
authentik-freeradius-1 | (7) Tunnel-Private-Group-Id = "110"
But the switch already received the reject and the authentication failed.
When the retransmission does not happen then the switch accepts the client and the 802.1x authentication is sucessful.
@Clive_A
> 1. Diagram of your network.
> 3. TCP dump or Wireshark on the RADIUS server while the authentication happens. We need a full capture when the problem happens.
Exactly the same (10.0.0.3 is the switch, 10.1.2.1 is the freeradius server), but here with more verbose output:
11:02:54.478033 IP (tos 0x0, ttl 64, id 16203, offset 0, flags [DF], proto UDP (17), length 166)
10.0.0.3.46115 > 10.1.2.1.radius: RADIUS, length: 138
Access-Request (1), id: 0x2e, Authenticator: 4b738f889cbc442647b2c2e8536f3ccf
User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
EAP-Message Attribute (79), length: 24, Value: Response (2), id 2, len 22
Type Identity (1), Identity: apple_lan_thatsme
NAS-IP-Address Attribute (4), length: 6, Value: 10.0.0.3
NAS-Port Attribute (5), length: 6, Value: 3
NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4
Service-Type Attribute (6), length: 6, Value: Framed
Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
Message-Authenticator Attribute (80), length: 18, Value: .....O.Z'.x. .g.
11:02:54.479542 IP (tos 0x0, ttl 63, id 29929, offset 0, flags [DF], proto UDP (17), length 92)
10.1.2.1.radius > 10.0.0.3.46115: RADIUS, length: 64
Access-Challenge (11), id: 0x2e, Authenticator: d7071e95b29ff0017add0f037e666954
Message-Authenticator Attribute (80), length: 18, Value: ...-.. ).@...9..
EAP-Message Attribute (79), length: 8, Value: Request (1), id 3, len 6
Type TTLS (21) TTLSv0 flags [Start bit] 0x20
State Attribute (24), length: 18, Value: -7..-4.........<
11:02:54.485256 IP (tos 0x0, ttl 64, id 16204, offset 0, flags [DF], proto UDP (17), length 323)
10.0.0.3.46115 > 10.1.2.1.radius: RADIUS, length: 295
Access-Request (1), id: 0x2f, Authenticator: 4b738f889cbc442647b2c2e8536f3ccf
User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
EAP-Message Attribute (79), length: 163, Value: Response (2), id 3, len 161
Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 151
NAS-IP-Address Attribute (4), length: 6, Value: 10.0.0.3
NAS-Port Attribute (5), length: 6, Value: 3
NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4
Service-Type Attribute (6), length: 6, Value: Framed
Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
State Attribute (24), length: 18, Value: -7..-4.........<
Message-Authenticator Attribute (80), length: 18, Value: m.1$./..(.W..'.)
11:02:54.495593 IP (tos 0x0, ttl 63, id 29939, offset 0, flags [DF], proto UDP (17), length 1092)
10.1.2.1.radius > 10.0.0.3.46115: RADIUS, length: 1064
Access-Challenge (11), id: 0x2f, Authenticator: 3fbed79113c4ccfc7b70b06bfe90ddc6
Message-Authenticator Attribute (80), length: 18, Value: ......>.?......>
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 243, Value: EAP fragment?
State Attribute (24), length: 18, Value: -7..,3.........<
11:02:54.508580 IP (tos 0x0, ttl 64, id 16206, offset 0, flags [DF], proto UDP (17), length 168)
10.0.0.3.46115 > 10.1.2.1.radius: RADIUS, length: 140
Access-Request (1), id: 0x30, Authenticator: 3328535e7b536cf9b318055d8dce19fa
User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
EAP-Message Attribute (79), length: 8, Value: Response (2), id 4, len 6
Type TTLS (21) TTLSv0 flags [none] 0x00
NAS-IP-Address Attribute (4), length: 6, Value: 10.0.0.3
NAS-Port Attribute (5), length: 6, Value: 3
NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4
Service-Type Attribute (6), length: 6, Value: Framed
Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
State Attribute (24), length: 18, Value: -7..,3.........<
Message-Authenticator Attribute (80), length: 18, Value: ....=....%.....#
11:02:54.510434 IP (tos 0x0, ttl 63, id 29954, offset 0, flags [DF], proto UDP (17), length 1092)
10.1.2.1.radius > 10.0.0.3.46115: RADIUS, length: 1064
Access-Challenge (11), id: 0x30, Authenticator: f1155949a826c03d78b88c8716492fc5
Message-Authenticator Attribute (80), length: 18, Value: ^.Q.Vj._.....
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 243, Value: EAP fragment?
State Attribute (24), length: 18, Value: -7../2.........<
11:02:54.513539 IP (tos 0x0, ttl 64, id 16207, offset 0, flags [DF], proto UDP (17), length 168)
10.0.0.3.46115 > 10.1.2.1.radius: RADIUS, length: 140
Access-Request (1), id: 0x31, Authenticator: 3328535e7b536cf9b318055d8dce19fa
User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
EAP-Message Attribute (79), length: 8, Value: Response (2), id 5, len 6
Type TTLS (21) TTLSv0 flags [none] 0x00
NAS-IP-Address Attribute (4), length: 6, Value: 10.0.0.3
NAS-Port Attribute (5), length: 6, Value: 3
NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4
Service-Type Attribute (6), length: 6, Value: Framed
Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
State Attribute (24), length: 18, Value: -7../2.........<
Message-Authenticator Attribute (80), length: 18, Value: ~.5.n.`....B..z.
11:02:54.514849 IP (tos 0x0, ttl 63, id 29957, offset 0, flags [DF], proto UDP (17), length 1092)
10.1.2.1.radius > 10.0.0.3.46115: RADIUS, length: 1064
Access-Challenge (11), id: 0x31, Authenticator: 4c61ec5020319a7800baf316893e7018
Message-Authenticator Attribute (80), length: 18, Value: .$+R.R..d..o.s2.
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 243, Value: EAP fragment?
State Attribute (24), length: 18, Value: -7...1.........<
11:02:54.518103 IP (tos 0x0, ttl 64, id 16208, offset 0, flags [DF], proto UDP (17), length 168)
10.0.0.3.46115 > 10.1.2.1.radius: RADIUS, length: 140
Access-Request (1), id: 0x32, Authenticator: 3328535e7b536cf9b318055d8dce19fa
User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
EAP-Message Attribute (79), length: 8, Value: Response (2), id 6, len 6
Type TTLS (21) TTLSv0 flags [none] 0x00
NAS-IP-Address Attribute (4), length: 6, Value: 10.0.0.3
NAS-Port Attribute (5), length: 6, Value: 3
NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4
Service-Type Attribute (6), length: 6, Value: Framed
Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
State Attribute (24), length: 18, Value: -7...1.........<
Message-Authenticator Attribute (80), length: 18, Value: .?._.....)...
11:02:54.519623 IP (tos 0x0, ttl 63, id 29960, offset 0, flags [DF], proto UDP (17), length 1092)
10.1.2.1.radius > 10.0.0.3.46115: RADIUS, length: 1064
Access-Challenge (11), id: 0x32, Authenticator: 678824bd907c75c8b2d8dc6ff22aeb60
Message-Authenticator Attribute (80), length: 18, Value: ........Y..{....
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 243, Value: EAP fragment?
State Attribute (24), length: 18, Value: -7..)0.........<
11:02:54.522606 IP (tos 0x0, ttl 64, id 16209, offset 0, flags [DF], proto UDP (17), length 168)
10.0.0.3.46115 > 10.1.2.1.radius: RADIUS, length: 140
Access-Request (1), id: 0x33, Authenticator: 3328535e7b536cf9b318055d8dce19fa
User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
EAP-Message Attribute (79), length: 8, Value: Response (2), id 7, len 6
Type TTLS (21) TTLSv0 flags [none] 0x00
NAS-IP-Address Attribute (4), length: 6, Value: 10.0.0.3
NAS-Port Attribute (5), length: 6, Value: 3
NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4
Service-Type Attribute (6), length: 6, Value: Framed
Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
State Attribute (24), length: 18, Value: -7..)0.........<
Message-Authenticator Attribute (80), length: 18, Value: ..WBd!km..t..i..
11:02:54.523961 IP (tos 0x0, ttl 63, id 29962, offset 0, flags [DF], proto UDP (17), length 156)
10.1.2.1.radius > 10.0.0.3.46115: RADIUS, length: 128
Access-Challenge (11), id: 0x33, Authenticator: 0304fcd86e7f86ba4c2a0b92bd96ae44
Message-Authenticator Attribute (80), length: 18, Value: h..o..../f..V...
EAP-Message Attribute (79), length: 72, Value: Request (1), id 8, len 70
Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 4020
State Attribute (24), length: 18, Value: -7..(?.........<
11:02:54.535647 IP (tos 0x0, ttl 64, id 16210, offset 0, flags [DF], proto UDP (17), length 298)
10.0.0.3.46115 > 10.1.2.1.radius: RADIUS, length: 270
Access-Request (1), id: 0x34, Authenticator: 4fd8cd77ef97eaabb05b6a6788b19ff9
User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
EAP-Message Attribute (79), length: 138, Value: Response (2), id 8, len 136
Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 126
NAS-IP-Address Attribute (4), length: 6, Value: 10.0.0.3
NAS-Port Attribute (5), length: 6, Value: 3
NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4
Service-Type Attribute (6), length: 6, Value: Framed
Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
State Attribute (24), length: 18, Value: -7..(?.........<
Message-Authenticator Attribute (80), length: 18, Value: 1..XY...K.~$C...
11:02:54.539823 IP (tos 0x0, ttl 63, id 29975, offset 0, flags [DF], proto UDP (17), length 147)
10.1.2.1.radius > 10.0.0.3.46115: RADIUS, length: 119
Access-Challenge (11), id: 0x34, Authenticator: 2d0dcced9b854c9b21bc8f66158d5f53
Message-Authenticator Attribute (80), length: 18, Value: ....#...:..U.
EAP-Message Attribute (79), length: 63, Value: Request (1), id 9, len 61
Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 51
State Attribute (24), length: 18, Value: -7..+>.........<
11:02:54.542691 IP (tos 0x0, ttl 64, id 16211, offset 0, flags [DF], proto UDP (17), length 245) <--- first request
10.0.0.3.46115 > 10.1.2.1.radius: RADIUS, length: 217
Access-Request (1), id: 0x35, Authenticator: 4fd8cd77ef97eaabb05b6a6788b19ff9
User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
EAP-Message Attribute (79), length: 85, Value: Response (2), id 9, len 83
Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 73
NAS-IP-Address Attribute (4), length: 6, Value: 10.0.0.3
NAS-Port Attribute (5), length: 6, Value: 3
NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4
Service-Type Attribute (6), length: 6, Value: Framed
Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
State Attribute (24), length: 18, Value: -7..+>.........<
Message-Authenticator Attribute (80), length: 18, Value: x....g.q..R.....
11:02:59.537570 IP (tos 0x0, ttl 64, id 16391, offset 0, flags [DF], proto UDP (17), length 227) <-- retransmission packet
10.0.0.346115 > 10.1.2.1.radius: RADIUS, length: 199
Access-Request (1), id: 0x36, Authenticator: 1c90635e4f03a9b669a2402965fc8e41
User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
EAP-Message Attribute (79), length: 85, Value: Response (2), id 9, len 83
Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 73
NAS-IP-Address Attribute (4), length: 6, Value: 10.0.0.3
NAS-Port Attribute (5), length: 6, Value: 3
NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4
Service-Type Attribute (6), length: 6, Value: Framed
Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
Message-Authenticator Attribute (80), length: 18, Value: ..-s...f .... ..
11:03:00.540835 IP (tos 0x0, ttl 63, id 34812, offset 0, flags [DF], proto UDP (17), length 66) <-- reject retransmission packet
10.1.2.1.radius > 10.0.0.3.46115: RADIUS, length: 38
Access-Reject (3), id: 0x36, Authenticator: d657e1caadf330afa206db0ffe469c17
Message-Authenticator Attribute (80), length: 18, Value: pK.._.....JN.j\0
11:03:02.449220 IP (tos 0x0, ttl 63, id 35102, offset 0, flags [DF], proto UDP (17), length 88) <-- accept first request
10.1.2.1.radius > 10.0.0.3.46115: RADIUS, length: 60
Access-Accept (2), id: 0x35, Authenticator: dfd3f8ac0586d2551621d599d5a00839
Message-Authenticator Attribute (80), length: 18, Value: .d.U.....q.K....
Framed-MTU Attribute (12), length: 6, Value: 994
Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] VLAN
Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802
Tunnel-Private-Group-ID Attribute (81), length: 4, Value: 110
I do EAP-TTLS + PAP. The firmware bug in the retransmission packet could be specific to that EAP-type.
To reproduce it is crucial the switch times out while freeradius is processing the request after the TLS-Challenge / Handshake.
In order to simplify reproduction
I recommend to set the timeout to 1 or 2 in the switch and to slow down freeradius using expensive modules.
I safe the User-Name in the authorize section of the proxy-inner-tunnel and reuse it in the ldap module in the post-auth to do the dynamic vlan assignment based on group-membership.