Hi Heikki,

we only do machine cert authentication. Can I log the SessionContextId
for debugging purposes to really make sure it's not the issue?

This also happens for smartphones, mainly Apple and Android.

I wonder if the reduced EAPContextTimeout from 1000 to 120 seconds might
cause this when roaming from access-point to access-point?

Best regards, Alex


On 2016-11-30 16:12, Heikki Vatiainen wrote:
On 30.11.2016 16.27, Hartmaier Alexander wrote:

we have random EAP authentication errors since the upgrade to 4.17.
I figured it might have something to do with the EAP session resumption
changes in 4.17.

For tweaking resumption behaviour, can you try adding the parameter
shown below to EAPTLS_ settings?

I have been looking at this, and my suspicion is that when Windows has
been configured to try both machine and username authentication, it
uses the same TLS session for the both. This may cause confusion for
it when a session resumption succeeds as machine while the session was
first successful for username authentication. What Radiator sees is a
successful resumption and proceeds as usually.

In 4.17 you can further restrict the context for which the resumption
is considered. So please add the original username to the context to
use host/ prefix for creating a separate context for machine vs
username authentication.

EAPTLS_SessionContextId %u%1

The above adds original User-Name to the resumption context which will
create separate resumption context when the username changes.

This parameter goes to AuthBy that handles the outer EAP
authentication (certicates, etc.).

For more:
https://open.com.au/radiator/ref/EAPTLS_SessionContextId_AuthByxxxxxx.html


Thanks,
Heikki





*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to