EAP Session resumption && reply attributes

Alexander Clouter alex at digriz.org.uk
Thu Jan 21 01:39:13 CET 2010


Arran Cudbard-Bell <arran.cudbard-bell at hp.com> wrote:
> 
> On 1/17/2010 8:37 AM, Alexander Clouter wrote:
>> James J J Hooper<jjj.hooper at bristol.ac.uk>  wrote:
>>    
>>> In order to also return e.g. VLAN IDs (that could be computed from the
>>> inner User-Name in a non-session-resumption enabled config), I can move
>>> the config that sets the VLAN to the outer tunnel post-auth&&  ensure the
>>> inner tunnel sets:
>>>    reply:outer User-Name to request:inner User-Name
>>> and then key my VLAN computation (in outer post-auth) from reply:User-Name.
>>>
>> We have been doing authorisation depending on the outer layer since
>> summer.
> 
> How did you get around the "my policy rejects you now, but i've already 
> sent a tunneled success TLV in the TLS tunnel and you're now ignoring my 
> EAP-Failure messages" issue... or are you just happily ignoring it/ 
> encouraging adoption of TTLS-PAP like I was? :)
> 
Probably as I do not use user *authorisation*... :P

It's nuts to do user authorisation for network nodes, user authorisation 
lives further up the stack and should stay in the realm of layer 5 where 
it belongs.  What I do though is let user authentication 'bootstrap' the 
host authentication, so you think of it that "I user xyz vouch that I am 
responsible for MAC address abc for the duration of my session"; with 
that in mind you can forget about user authorisation...which is just a
plain nasty idea anyway.

If yer interested, you can see what I'm doing more or less:

http://stuff.digriz.org.uk/freeradius-public-20100101.tar.gz

Been a few minor changes/cleanups since though so be gentle ;)

Cheers

-- 
Alexander Clouter
.sigmonster says: Preserve Wildlife!  Throw a party today!




More information about the Freeradius-Users mailing list