(RADIATOR) Problems with TTLS session resume

Terry Simons galimore at mac.com
Fri Sep 3 11:24:28 CDT 2004 

Hi Roy,

On Sep 3, 2004, at 9:33 AM, Roy Badami wrote:

>
> I'm trying to get TTLS session resumption to work with the Odyssey
> Client.
>
> In particular.  It works when I hit the "reauthenticate" button, but
> in particular I'd like it to work in the following circumstances:
>
>    * Client briefly goes out of coverage, then reassociates with the AP
>    * Client roams from one AP to another.
>
> The problem is that in the first case the NAS Port will change; in the
> second the NAS ID will change too.  As a result EAP.pm is unable to
> retrieve the context (the key has changed).

I would think that the NAS Port shouldn't change... that seems really 
weird.  (None of my equipment does that, and it would make my job 
difficult if it did, since we use that information to determine what 
type of wireless a user came from, 802.11a, b, g etc...).  To give you 
a better example, wired NAS Ports should *NEVER* Change, since it is 
supposed to be the physical port mapping, if possible.  Wireless 
vendors should consider that, and design their equipment 
appropriately... I don't see why you would even bother sending the NAS 
Port if you're just going to change it every time a user authenticates. 
  (It's not a required attribute, as long as the NAS-Port-Type is sent 
in the accounting record...)  Sounds like an issue you should take up 
with the vendor, though I don't see how the NAS Port changing would 
cause session resumption to fail, unless Radiator is using that 
information somehow on the resume?  I would actually be interested in 
hearing the logic behind an ethereal NAS Port.  :-)

The second problem is one that you probably can't solve at all.  When 
you hop APs, the AP will initiate a new connection with you.  Since the 
AP doesn't have any information from your previous authentication, you 
can't "resume" - It's not possible to resume a session that doesn't 
exist.  This is also possibly contrary to the 802.1X standard, but I 
don't know enough about session resumption to say for sure...   You 
might be able to pull this off if your APs are smart enough to share 
information about their 802.1X authentications, but in general this is 
just simply not going to work.


> Changing
>
>     my $key = "eap:$nas_id:$nas_port:$calling_station:$rad_user_name";
>
> to
>
>     my $key = "eap:$calling_station:$rad_user_name";
>
> in EAP.pm allows me to resume a session after straying out of
> coverage.  I assume it will fix the roaming case too -- assuming
> Odyssey Client does the right thing -- though I can't test that since
> my test network only has a single AP.

Why are you concerned with a full re-authentication?

> Is there any reason not to do this?  If not, could this be made an
> option?
>
>       -roy
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list