[RADIATOR] random EAP authentication errors since 4.17

Hartmaier Alexander alexander.hartmaier at t-systems.at
Wed Nov 30 16:02:58 UTC 2016 

On 2016-11-30 16:35, Heikki Vatiainen wrote:
> On 30.11.2016 17.21, Hartmaier Alexander wrote:
>
>> we only do machine cert authentication. Can I log the SessionContextId
>> for debugging purposes to really make sure it's not the issue?
>
> This defaults to Handler. In other words, if a full authentication was
> processed by Handler A, the resumption will only work with Handler A.
> If Handler B is selected, full authentication is done. If this
> happens, it is not an error but a normal full authentication.
I do understand the inner workings, thanks.
>
>> This also happens for smartphones, mainly Apple and Android.
>
> Do you have log messages about errors?
Let me clarify our setup:
EAPTLS_CertificateVerifyHook parses the cert issuer and subject and
populates
     $context->{customer} = $customer;
     $context->{ca_name} = $ca_name;
     $context->{cert_usage} = $cert_usage;
     $context->{cert_subject} = $subject; # for logging only
     $context->{cert_issuer} = $cert_issuer; # for loggin only

PostAuthHooks use $context->{customer} and $context->{cert_usage} to
allow/deny wired/wireless access assign VLAN ID/restrict SSIDs.
The error messages that started getting logged after the 4.17 update are
our custom reject reasons:
$$reason = "certificate usage '$cert_usage' not for DIRECT, subject: "
.  $context->{cert_subject} . ", issuer: " . $context->{cert_issuer};

>> I wonder if the reduced EAPContextTimeout from 1000 to 120 seconds might
>> cause this when roaming from access-point to access-point?
>
> This should only matter when it takes more than 120 seconds for the
> client to respond after Radiator sends RADIUS Access-Challenge to get
> the client to continue the ongoing EAP authentication. Once the
> authentication has finished, this context is not required any longer.
>
> The information required for resume is kept longer. See
> EAPTLS_SessionResumptionLimit that defaults of 12 hours.
>
> https://www.open.com.au/radiator/ref/EAPTLS_SessionResumptionLimit.html
I assume that the PostAuthHook is also run for resumed sessions but
EAPTLS_CertificateVerifyHook isn't which leads to the lack of the
$context contents and thus the failure of the PostAuthHook.
>
> Thanks,
> Heikki
>



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*

More information about the radiator mailing list