Fast roaming support

Josh Howlett Josh.Howlett at ja.net
Mon Jan 7 17:07:52 CET 2008 

Session resumption is quite different from Opportunistic PMK caching
("Fast roaming").

The first is a property of some TLS-based EAP methods that take
advantage of the 'session resumption' feature in the TLS Handshake.
Windows and PEAP calls this 'Fast reconnect'. TTLS calls it the proper
name. It only involves exchanging a couple of TLS Handshake messages,
hence 'Fast'. Most importantly, there are no changes to the wire
protocols. 

The second, which is part of 802.11r, is the opposite. It doesn't change
how EAP works, but it does change (slightly) how things work on the
wire. I won't go into the details, the spec is available from IEEE.

I'm talking about 'Session resumption', because that's what Windows
supports :-)

I don't think that there are any special RADIUS considerations. Section
7.5 of draft-funk-eap-ttls-v0 is a good description of how it works,
from an implementor's PoV; it's a bit clearer than the equivalent
section in the PEAP spec.

Note that the RADIUS server needs to cache the MSK derived from the
original TLS exchange; I am curious how the patch that got submitted
handled this...

josh.

> -----Original Message-----
> From: 
> freeradius-devel-bounces+josh.howlett=ja.net at lists.freeradius.
> org 
> [mailto:freeradius-devel-bounces+josh.howlett=ja.net at lists.fre
eradius.org] On Behalf Of Arran Cudbard-Bell
> Sent: 07 January 2008 15:41
> To: FreeRadius developers mailing list
> Subject: Re: Fast roaming support
> 
> Alan DeKok wrote:
> > Arran Cudbard-Bell wrote:
> >   
> >> Are you talking about fast roaming as in WPA 2 Pre-Authentication 
> >> fast roaming ?
> >>     
> >
> >   No.  Fast session resumption for EAP-TLS methods (PEAP, 
> TTLS, etc.)
> >
> >   
> I imagined that would be part of it, but possibly not after reading:
> 
> http://technet.microsoft.com/en-us/library/bb878054.aspx
> 
> That suggests that the client authenticates to other access 
> points in the area, and caches the PMK information thus 
> generating multiple authentication sessions; instead of 
> resuming the same session (which is what I had assumed) using 
> fast session resumption.
> 
> It's damn hard to find any solid technical information, it 
> looks like you have to have "Adopter Membership" ($5000 per 
> anum) with the wifi alliance before you can access anything 
> resembling  an RFC.
> >> If so I could help out with testing; I'm very keen to get this 
> >> working here with ever rising numbers of Wifi VOIP 
> handsets  appearing on campus.
> >>     
> >
> >   What are the RADIUS requirements here?
> >   
> TBH i'm not sure if there are any, if anyone could shed some 
> light on this I would be most greatfull.
> >   Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See 
> > http://www.freeradius.org/list/devel.html
> >   
> --
> Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk) 
> Authentication, Authorisation and Accounting Officer 
> Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton
> EXT:01273 873900 | INT: 3900
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/devel.html
> 

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG

More information about the Freeradius-Devel mailing list