Re: [RADIATOR] PEAP session resumption on Windows 7, 8.1?

Fri, 26 May 2017 00:19:58 -0700 

Hi Heikki,

On 05/25/2017 03:13 PM, Heikki Vatiainen wrote:

I've identified several clients running Win7 and one running 8.1 which
are occasionally refused because PEAP session resumption. It looks
like it is related to situation when clients are changing essid. We
are running eduroam and eduroam-cesnet, I was able to identify moments
when client tries to jump from one essid to another and in that moment
resumption fails.


It might be that the client considers SSID change an event that, while
using TLS session resumption to get PEAP tunnel up, requires a full
inner authentication.

You could try this as a workaround for rejects: If your controller adds
SSID in the requests as an attribute, you could try setting
EAPTLS_SessionContextId so that it includes the SSID. After the SSID
change the server should require a full authentication which takes
longer but should not cause a reject.

https://open.com.au/radiator/ref/EAPTLS_SessionContextId_AuthByxxxxxx.html#EAPTLS_SessionContextId_AuthByxxxxxx


yes, our WLC is sending this info:

        Called-Station-Id = "f4-4e-05-ec-a8-d0:eduroam"
        Called-Station-Id = "f4-4e-05-d5-9a-a0:eduroam-cesnet"

I configured it this way:

        EAPTLS_SessionContextId %0%n%2%{Called-Station-Id}
                                # %0 - Client
                                # %n - username
                                # %2 - AuthBy
                                # %3 - current EAP Type number


If you try the above, please let me and the list know how it worked.


Sure, It will require a few days to be sure if it helps.


You could help testing when Radiator knows to start inner authentication
after TLS session resumption. The change required affects PEAP behaviour
considerably and we did not want to rush it in the current release. Once
we have something to test, we will let you know.


Ok, let me know.


Could you please provide time plan when this issue will be resolved?


I don't have that yet. However, the issue does affect a number of people
which raises its priority.


Thank you

--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
_______________________________________________
radiator mailing list
[email protected]
http://lists.open.com.au/mailman/listinfo/radiator






















					Reply via email to