[RADIATOR] PEAP internal session resumption breaks some clients

Thu Aug 27 02:40:40 CDT 2015

On 27.8.2015 9.32, David Zych wrote:

> We have a Windows 7 client that in certain locations around campus
> periodically gets booted off wireless and prompts the user to
> re-enter his credentials.

Thanks for the information. A couple of questions and comments related 
to this: first, is this just Windows 7 or is it possible/hard to say 
that there might be problems with other clients too?

It might be a good idea to check the settings on the host that has 
problems and compare them to a host that works. The problem might be 
something that is caused by the settings.

> There are plenty of other clients in our environment that do _not_
> have this problem (i.e. are able to succesfully resume a PEAP session
> and get Access-Accept); nonetheless, because it's having a negative
> impact on some clients I've had to disable EAPTLS_SessionResumption.

Disabling EAPTLS_SessionResumption is safe to do. In fact, it might be a 
good default option too when one starts to build the authentication 
configuration. Having it off can increase authentication server and 
backend load, but I see no other problem with turning it off.

> I'm interested to know if anybody else has observed this, or has
> suggestions on how to get more information about what exactly is
> going wrong (it's clear PEAP doesn't like the supplicant's last
> RADIUS request / EAP Response, but it's not clear exactly why).

There was a report last month about similar thing where the fix was the 
same as you did did: disable EAPTLS_SessionResumption. Now that we have 
two cases, it's starting to look like a non-isolated problem.

What comes to allowing inner authentication after session resumption, I 
think the idea with resumption is that the inner authentication can be 
skipped completely.

The log messages indicate it's the client that does not want to continue 
but returns TLS tunnelled failure indication back to Radiator. For this 
reason it would be a good idea to compare the working and non-working 
settings.

I'll see what we can do to replicate this too, but if you already have 
suitable test hosts, please let us know if you have time to look at them 
in more detail.

Also, thanks for the idea of debugging EAP contexts. A hook with a some 
code that previously collects information about the request sounds like 
a good idea. I've made a ticket about this for us to look at too.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.