[RADIATOR] PEAP session resumption on Windows 7, 8.1?
jan at tomasek.cz
Fri May 26 07:19:24 UTC 2017
On 05/25/2017 03:13 PM, Heikki Vatiainen wrote:
>> I've identified several clients running Win7 and one running 8.1 which
>> are occasionally refused because PEAP session resumption. It looks
>> like it is related to situation when clients are changing essid. We
>> are running eduroam and eduroam-cesnet, I was able to identify moments
>> when client tries to jump from one essid to another and in that moment
>> resumption fails.
> It might be that the client considers SSID change an event that, while
> using TLS session resumption to get PEAP tunnel up, requires a full
> inner authentication.
> You could try this as a workaround for rejects: If your controller adds
> SSID in the requests as an attribute, you could try setting
> EAPTLS_SessionContextId so that it includes the SSID. After the SSID
> change the server should require a full authentication which takes
> longer but should not cause a reject.
yes, our WLC is sending this info:
Called-Station-Id = "f4-4e-05-ec-a8-d0:eduroam"
Called-Station-Id = "f4-4e-05-d5-9a-a0:eduroam-cesnet"
I configured it this way:
# %0 - Client
# %n - username
# %2 - AuthBy
# %3 - current EAP Type number
> If you try the above, please let me and the list know how it worked.
Sure, It will require a few days to be sure if it helps.
> You could help testing when Radiator knows to start inner authentication
> after TLS session resumption. The change required affects PEAP behaviour
> considerably and we did not want to rush it in the current release. Once
> we have something to test, we will let you know.
Ok, let me know.
>> Could you please provide time plan when this issue will be resolved?
> I don't have that yet. However, the issue does affect a number of people
> which raises its priority.
Jan Tomasek aka Semik
More information about the radiator