[RADIATOR] random EAP authentication errors since 4.17

Hartmaier Alexander alexander.hartmaier at t-systems.at
Mon Dec 12 15:45:39 UTC 2016 

Hi,

please respond how to:

- log auth vs. session resumption

- handle session resumption in PostAuthHooks

- if the last_reply_attrs don't include the attributes added by a 
PostAuthHook

- usability of FarmSize with PEAP-TLS when enabling EAP_UseState


Thanks, Alex


On 2016-12-01 16:02, Hartmaier Alexander wrote:
> Hi,
>
> We're fighting duplicate requests due to slow responses because of 
> PEAP-TLS many exchanged packets.
>
> Is FarmSize still unusable when enabling EAP_UseState because the EAP 
> context data isn't shared between the forked childs?
>
> Can Gossip be used to share this state between the childs or the State 
> attribute to balance all requests of one EAP session always to the 
> same child?
>
>
> I've added this line to all PostAuthHooks and everything seems to work 
> as it should:
>
> my $self = $p->{AuthBy};
> my $context = $self->getEAPContext($p);
>
> return
>         if Net::SSLeay::session_reused($context->{ssl});
>
> As I currently don't log if an auth was an EAP auth or a session 
> resumption I can't tell if the session resumption works.
>
> Can you please advice how to log session resumption?
>
> Thanks, Alex
>
>
> On 2016-11-30 18:09, Hartmaier Alexander wrote:
>> On 2016-11-30 17:45, Heikki Vatiainen wrote:
>>> On 30.11.2016 18.02, Hartmaier Alexander wrote:
>>>
>>>> Let me clarify our setup:
>>>> EAPTLS_CertificateVerifyHook parses the cert issuer and subject and
>>>> populates
>>>>     $context->{customer} = $customer;
>>> [cut]
>>>
>>> Thanks, this clarifies the situation. You need to save information
>>> across resumed authentications.
>>>
>>>> I assume that the PostAuthHook is also run for resumed sessions but
>>>> EAPTLS_CertificateVerifyHook isn't which leads to the lack of the
>>>> $context contents and thus the failure of the PostAuthHook.
>>>
>>> Correct. Certificate verification runs only during full TLS handshake.
>>> Handler's PostAuthHook runs always when Handler is finishing its work.
>>> It does not matter if the TLS handshake within an AuthBy was full or
>>> resumed.
>>>
>>> I'll get back to you about how to save custom information across
>>> resumed authentications. For more about what is saved now, see EAP.pm
>>> and eap_save_resume_context and its counterpart just below. When
>>> thinking about possible options would a hook work for you? Another
>>> possibly might be to automatically save suitably named context
>>> variables, for example $context->{custom_info} would be automatically
>>> saved and restored.
>>>
>>> The reason for this change was to allow the user of State attribute
>>> with EAP authentication and more clearly separate information that is
>>> needed during one EAP authentication dialog from information that
>>> needs to be kept across resumed authentications.
>>>
>>> Thanks,
>>> Heikki
>>>
>> Correct me if I'm wrong but can a resumed session every be not accepted?
>> As it means that a successful auth has happened before.
>> Should a PostAuth hook, or some of the other hooks, be run at all in
>> this case?
>> It might make sense to differenciate between an authentication and a
>> resumption.
>>
>> As the 'last_reply_attrs' are already stored in the context it might be
>> the easiest option to either use a different hook instead of PostAuth,
>> continue using PostAuth if you decide to not call PostAuth for resumed
>> 'auths' or detect the resumption in the Hook and just bail out of it at
>> the very beginning.
>>
>>
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* 
>>
>> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
>> Handelsgericht Wien, FN 79340b
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* 
>>
>> Notice: This e-mail contains information that is confidential and may 
>> be privileged.
>> If you are not the intended recipient, please notify the sender and then
>> delete this e-mail immediately.
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* 
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at lists.open.com.au
>> http://lists.open.com.au/mailman/listinfo/radiator
>
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> http://lists.open.com.au/mailman/listinfo/radiator

More information about the radiator mailing list