[RADIATOR] PEAP session resumption on Windows 7, 8.1?

Jan Tomasek jan at tomasek.cz
Fri May 26 07:19:24 UTC 2017 

Hi Heikki,

On 05/25/2017 03:13 PM, Heikki Vatiainen wrote:
>> I've identified several clients running Win7 and one running 8.1 which
>> are occasionally refused because PEAP session resumption. It looks
>> like it is related to situation when clients are changing essid. We
>> are running eduroam and eduroam-cesnet, I was able to identify moments
>> when client tries to jump from one essid to another and in that moment
>> resumption fails.
>
> It might be that the client considers SSID change an event that, while
> using TLS session resumption to get PEAP tunnel up, requires a full
> inner authentication.
>
> You could try this as a workaround for rejects: If your controller adds
> SSID in the requests as an attribute, you could try setting
> EAPTLS_SessionContextId so that it includes the SSID. After the SSID
> change the server should require a full authentication which takes
> longer but should not cause a reject.
>
> https://open.com.au/radiator/ref/EAPTLS_SessionContextId_AuthByxxxxxx.html#EAPTLS_SessionContextId_AuthByxxxxxx

yes, our WLC is sending this info:

         Called-Station-Id = "f4-4e-05-ec-a8-d0:eduroam"
	Called-Station-Id = "f4-4e-05-d5-9a-a0:eduroam-cesnet"

I configured it this way:

         EAPTLS_SessionContextId %0%n%2%{Called-Station-Id}
                                 # %0 - Client
                                 # %n - username
                                 # %2 - AuthBy
                                 # %3 - current EAP Type number

> If you try the above, please let me and the list know how it worked.

Sure, It will require a few days to be sure if it helps.

> You could help testing when Radiator knows to start inner authentication
> after TLS session resumption. The change required affects PEAP behaviour
> considerably and we did not want to rush it in the current release. Once
> we have something to test, we will let you know.

Ok, let me know.

>> Could you please provide time plan when this issue will be resolved?
>
> I don't have that yet. However, the issue does affect a number of people
> which raises its priority.

Thank you

-- 
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/

More information about the radiator mailing list