PEAP Fast Reconnect
Michael Griego
mgriego at utdallas.edu
Mon Jan 29 20:08:05 CET 2007
No, not currently. Doing so will require a level of caching and
connection of the TLS session information with the RADIUS attributes
that currently is not in place. This kind of checking is to insure
that a user is not able to authenticate with is credentials, then,
say, simply change his EAP identity/username and reauth with a fast
reconnect (which doesn't check the certificate). Since the cert is
not checked in a fast reconnect, there is nothing to connect the
session to the RADIUS attributes (such as username), so any username
would be accepted unless a fast reconnect is checked against the
initial session credentials. Username substitution like this could,
obviously, lead to users being able to gain privileges they wouldn't
otherwise have.
--Mike
On Jan 29, 2007, at 11:52 AM, King, Michael wrote:
> Does FreeRADIUS support PEAP Fast Reconnect?
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
> users.html
More information about the Freeradius-Users
mailing list