[RADIATOR] PEAP session resumption on Windows 7, 8.1?

Heikki Vatiainen hvn at open.com.au
Thu May 25 13:13:37 UTC 2017

On 25.05.2017 12:20, Jan Tomasek wrote:

> I'm quoting from release notes Radiator 4.18:

> could you please provide more details?

Sure, in short: MS PEAP document [1] says that a full inner 
authentication is possible after TLS session resumption. Radiator does 
not support this yet. The fix we are planning is to support this.

The other clients we have seen are happy to end PEAP authentication 
successfully after TLS session resumption.

In more detail, if I remember correctly, after a TLS session is resumed, 
the server tunnels a success to the client and client responds with 
success or failure. The current MS PEAP document indicates that failure 
means that the client wants to do a full inner authentication. The 
current implementation in Radiator considers this as a failure 
indication and terminates PEAP with a reject.

Instead of rejecting the client, the server should start inner 
authentication similar to what happens when a TLS session is established 
with a full handshake.

Note: we have not tested this yet, but based on the MS PEAP document 
this seems like the likely cause why Radiator and client sometimes have 
problems with resumed sessions.

[1] https://msdn.microsoft.com/en-us/library/cc238354.aspx

> I've identified several clients 
> running Win7 and one running 8.1 which are occasionally refused because 
> PEAP session resumption. It looks like it is related to situation when 
> clients are changing essid. We are running eduroam and eduroam-cesnet, I 
> was able to identify moments when client tries to jump from one essid to 
> another and in that moment resumption fails.

It might be that the client considers SSID change an event that, while 
using TLS session resumption to get PEAP tunnel up, requires a full 
inner authentication.

You could try this as a workaround for rejects: If your controller adds 
SSID in the requests as an attribute, you could try setting 
EAPTLS_SessionContextId so that it includes the SSID. After the SSID 
change the server should require a full authentication which takes 
longer but should not cause a reject.


If you try the above, please let me and the list know how it worked.

> I like resumption as it makes reconnect and keeping it enabled as the 
> amount of affected clients is low, but if there is something I can test 
> I would like to volunteer. If you need some testing, please tell me how 
> can I help.

You could help testing when Radiator knows to start inner authentication 
after TLS session resumption. The change required affects PEAP behaviour 
considerably and we did not want to rush it in the current release. Once 
we have something to test, we will let you know.

For example, it will be interesting to see what happens when the 
tunnelled failure from a client really indicates a failure and not a 
request to start inner authentication. Also, how non-MS clients cope if 
this happens. I'm not sure this is an issue since they probably do not 
even complete resumption if there's a problem.

> Could you please provide time plan when this issue will be resolved?

I don't have that yet. However, the issue does affect a number of people 
which raises its priority.

Thanks for your interest in this,

Heikki Vatiainen
hvn at open.com.au

More information about the radiator mailing list