[RADIATOR] random EAP authentication errors since 4.17

Hartmaier Alexander alexander.hartmaier at t-systems.at
Wed Nov 30 15:21:11 UTC 2016

Hi Heikki,

we only do machine cert authentication. Can I log the SessionContextId
for debugging purposes to really make sure it's not the issue?

This also happens for smartphones, mainly Apple and Android.

I wonder if the reduced EAPContextTimeout from 1000 to 120 seconds might
cause this when roaming from access-point to access-point?

Best regards, Alex

On 2016-11-30 16:12, Heikki Vatiainen wrote:
> On 30.11.2016 16.27, Hartmaier Alexander wrote:
>> we have random EAP authentication errors since the upgrade to 4.17.
>> I figured it might have something to do with the EAP session resumption
>> changes in 4.17.
> For tweaking resumption behaviour, can you try adding the parameter
> shown below to EAPTLS_ settings?
> I have been looking at this, and my suspicion is that when Windows has
> been configured to try both machine and username authentication, it
> uses the same TLS session for the both. This may cause confusion for
> it when a session resumption succeeds as machine while the session was
> first successful for username authentication. What Radiator sees is a
> successful resumption and proceeds as usually.
> In 4.17 you can further restrict the context for which the resumption
> is considered. So please add the original username to the context to
> use host/ prefix for creating a separate context for machine vs
> username authentication.
> EAPTLS_SessionContextId %u%1
> The above adds original User-Name to the resumption context which will
> create separate resumption context when the username changes.
> This parameter goes to AuthBy that handles the outer EAP
> authentication (certicates, etc.).
> For more:
> https://open.com.au/radiator/ref/EAPTLS_SessionContextId_AuthByxxxxxx.html
> Thanks,
> Heikki

T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.

More information about the radiator mailing list