[RADIATOR] Radiator Version 4.11 released

Heikki Vatiainen hvn at open.com.au
Mon Dec 17 16:05:24 CST 2012


On 12/17/2012 04:53 PM, Jethro R Binks wrote:

> Are there any reasons why I might chose not to enable fast connect/session 
> resumption?  Other broken clients etc?

I do not know of any broken clients. The windows client was fine too, it
was just more strict than the others.

For the reasons of choosing to enable it or not, you would need to think
the implications of fast reconnect not doing PEAP inner authentication.

As an example, consider a case where a university campus has eduroam
coverage across all campus buildings. However, the wireless networks for
each campus building have a unique IP subnet. When a user authenticates
for the first time in building A, Radiator assigns VLAN 123 for the
user. The user then roams to another building where full authentication
authorizes VLAN 124 but fast reconnect would return attributes from the
previous full authentication still authorizing VLAN 123. This would be
incorrect and probably shows as a connectivity problem for the user.

In other words, if the inner authentication does some sort of policy or
authorization decision that needs to be done for each network attachment
(calculate remaining time, assign VLANs, etc.) then fast reconnect may
not be useful.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list