(RADIATOR) Problems with TTLS session resume

Roy Badami roy.badami at globalgraphics.com
Fri Sep 3 11:44:45 CDT 2004


>>>>> "Terry" == Terry Simons <galimore at mac.com> writes:

    Terry> I would think that the NAS Port shouldn't change... that
    Terry> seems really weird.  (None of my equipment does that, and
    Terry> it would make my job difficult if it did, since we use that
    Terry> information to determine what type of wireless a user came
    Terry> from, 802.11a, b, g etc...).  To give you a better example,
    Terry> wired NAS Ports should *NEVER* Change, since it is supposed
    Terry> to be the physical port mapping, if possible.  Wireless
    Terry> vendors should consider that, and design their equipment
    Terry> appropriately...

But associations are ephemeral.  The NAS Port sent by the Cisco AP is
constant over the life of the association.  I'm not sure how you could
have a constant NAS Port when there is no physical port.

    Terry> though I don't see how the NAS Port changing would cause
    Terry> session resumption to fail, unless Radiator is using that
    Terry> information somehow on the resume?  

RADIATOR uses a number of attributes to identify the client and
retrive the old authentication context.  These attributes include
NAS-Port and NAS-IP-Address.

    Terry> The second problem is one that you probably can't solve at
    Terry> all.  When you hop APs, the AP will initiate a new
    Terry> connection with you.  Since the AP doesn't have any
    Terry> information from your previous authentication, you can't
    Terry> "resume" - It's not possible to resume a session that
    Terry> doesn't exist.  This is also possibly contrary to the
    Terry> 802.1X standard, but I don't know enough about session
    Terry> resumption to say for sure...

I don't see why.  As far as 802.1X is concerned, it's just a regular
athentication.  The session resumption is a specific feature of
EAP-TTLS and PEAP.  The state is held in the authentication server (ie
RADIATOR); the AP doesn't do anything special.

	   -roy


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list