[RADIATOR] random EAP authentication errors since 4.17
Heikki Vatiainen
hvn at open.com.au
Tue Dec 13 06:40:55 UTC 2016
On 30.11.2016 19.09, Hartmaier Alexander wrote:
> Correct me if I'm wrong but can a resumed session every be not accepted?
It's possible. EAP-TLS can check if the user is still available in the
user database or has their account been, for example, removed.
PEAP requires the server and client to share a single handshake over the
resumed TLS tunnel before the PEAP authentication is fully accepted by
the both peers. This could be thought of one sort of authentication.
In other words, TLS resume tells that the peers can resume a previously
created session. On the EAP and Radius layer I'd consider a TLS resumed
EAP-TLS, PEAP, etc. just a quicker way to authenticate where some things
were skipped since they were already done, for example inner
authentication, certificate checks.
> As it means that a successful auth has happened before.
> Should a PostAuth hook, or some of the other hooks, be run at all in
> this case?
I think the hooks and other processing should be called the same as with
non-resumed authentication. There could be, for example, an AuthBy GROUP
where PEAP authby runs first and then another authby does possibly
authorisation. This next authby may not care if PEAP did a full or
resumed authentication but it needs to run always.
> It might make sense to differenciate between an authentication and a
> resumption.
This can be made available for hooks. What you can already do is to
check Net::SSLeay::session_reused(). More about this in another reply.
> As the 'last_reply_attrs' are already stored in the context it might be
> the easiest option to either use a different hook instead of PostAuth,
> continue using PostAuth if you decide to not call PostAuth for resumed
> 'auths' or detect the resumption in the Hook and just bail out of it at
> the very beginning.
Detecting resumption in a Hook could be the best option here. If the
hook needs to behave differently, then it can do so.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list