[RADIATOR] random EAP authentication errors since 4.17
Heikki Vatiainen
hvn at open.com.au
Wed Nov 30 15:12:34 UTC 2016
On 30.11.2016 16.27, Hartmaier Alexander wrote:
> we have random EAP authentication errors since the upgrade to 4.17.
> I figured it might have something to do with the EAP session resumption
> changes in 4.17.
For tweaking resumption behaviour, can you try adding the parameter
shown below to EAPTLS_ settings?
I have been looking at this, and my suspicion is that when Windows has
been configured to try both machine and username authentication, it uses
the same TLS session for the both. This may cause confusion for it when
a session resumption succeeds as machine while the session was first
successful for username authentication. What Radiator sees is a
successful resumption and proceeds as usually.
In 4.17 you can further restrict the context for which the resumption is
considered. So please add the original username to the context to use
host/ prefix for creating a separate context for machine vs username
authentication.
EAPTLS_SessionContextId %u%1
The above adds original User-Name to the resumption context which will
create separate resumption context when the username changes.
This parameter goes to AuthBy that handles the outer EAP authentication
(certicates, etc.).
For more:
https://open.com.au/radiator/ref/EAPTLS_SessionContextId_AuthByxxxxxx.html
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list