(RADIATOR) Problems with TTLS session resume

Terry Simons galimore at mac.com
Fri Sep 3 12:41:27 CDT 2004 

> But associations are ephemeral.  The NAS Port sent by the Cisco AP is
> constant over the life of the association.  I'm not sure how you could
> have a constant NAS Port when there is no physical port.

But you're associated to a specific physical wireless card, aren't you? 
  So that could be the "port" (i.e. "card 1").

It's a shared media, so everybody is connected to the same "port".  It 
doesn't make much sense to use the NAS-Port attribute otherwise, and 
seems like it would be better to simply send only the NAS-Port-Type 
specifying wireless connectivity.


>     Terry> though I don't see how the NAS Port changing would cause
>     Terry> session resumption to fail, unless Radiator is using that
>     Terry> information somehow on the resume?
>
> RADIATOR uses a number of attributes to identify the client and
> retrive the old authentication context.  These attributes include
> NAS-Port and NAS-IP-Address.

I gathered that from the bottom of your original post, thanks for 
clarifying.

>
>     Terry> The second problem is one that you probably can't solve at
>     Terry> all.  When you hop APs, the AP will initiate a new
>     Terry> connection with you.  Since the AP doesn't have any
>     Terry> information from your previous authentication, you can't
>     Terry> "resume" - It's not possible to resume a session that
>     Terry> doesn't exist.  This is also possibly contrary to the
>     Terry> 802.1X standard, but I don't know enough about session
>     Terry> resumption to say for sure...
>
> I don't see why.  As far as 802.1X is concerned, it's just a regular
> athentication.  The session resumption is a specific feature of
> EAP-TTLS and PEAP.  The state is held in the authentication server (ie
> RADIATOR); the AP doesn't do anything special.

So this should work assuming Radiator sends back an MS-MPPE-KEY message 
to the newly-associated AP, otherwise the AP can't key you correctly.  
So it sounds like this *could* be made to work with Radiator.

- Terry

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list