On 2016-11-30 16:35, Heikki Vatiainen wrote:
On 30.11.2016 17.21, Hartmaier Alexander wrote:

we only do machine cert authentication. Can I log the SessionContextId
for debugging purposes to really make sure it's not the issue?

This defaults to Handler. In other words, if a full authentication was
processed by Handler A, the resumption will only work with Handler A.
If Handler B is selected, full authentication is done. If this
happens, it is not an error but a normal full authentication.
I do understand the inner workings, thanks.

This also happens for smartphones, mainly Apple and Android.

Do you have log messages about errors?
Let me clarify our setup:
EAPTLS_CertificateVerifyHook parses the cert issuer and subject and
populates
    $context->{customer} = $customer;
    $context->{ca_name} = $ca_name;
    $context->{cert_usage} = $cert_usage;
    $context->{cert_subject} = $subject; # for logging only
    $context->{cert_issuer} = $cert_issuer; # for loggin only

PostAuthHooks use $context->{customer} and $context->{cert_usage} to
allow/deny wired/wireless access assign VLAN ID/restrict SSIDs.
The error messages that started getting logged after the 4.17 update are
our custom reject reasons:
$$reason = "certificate usage '$cert_usage' not for DIRECT, subject: "
.  $context->{cert_subject} . ", issuer: " . $context->{cert_issuer};

I wonder if the reduced EAPContextTimeout from 1000 to 120 seconds might
cause this when roaming from access-point to access-point?

This should only matter when it takes more than 120 seconds for the
client to respond after Radiator sends RADIUS Access-Challenge to get
the client to continue the ongoing EAP authentication. Once the
authentication has finished, this context is not required any longer.

The information required for resume is kept longer. See
EAPTLS_SessionResumptionLimit that defaults of 12 hours.

https://www.open.com.au/radiator/ref/EAPTLS_SessionResumptionLimit.html
I assume that the PostAuthHook is also run for resumed sessions but
EAPTLS_CertificateVerifyHook isn't which leads to the lack of the
$context contents and thus the failure of the PostAuthHook.

Thanks,
Heikki




*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to