EAP Session resumption && reply attributes

Alexander Clouter alex at digriz.org.uk
Thu Jan 21 11:05:36 CET 2010

James J J Hooper <jjj.hooper at bristol.ac.uk> wrote:
>> How did you get around the "my policy rejects you now, but i've already
>> sent a tunneled success TLV in the TLS tunnel and you're now ignoring my
>> EAP-Failure messages" issue... or are you just happily ignoring it/
>> encouraging adoption of TTLS-PAP like I was? :)
> Our setup never changes its mind :-) Any valid credentials always get a 
> connection. ...only whether that connection is Internet/port 
> limited/captive redirect to web message server changes.
Arran is probably referring to that with EAP TLS reauth you are actually 
using the authentication (and possibly authorisation) credentials from 
a previous session that can even be a few days prior.

You might decide to do some user focused authorisation in the post-auth 
section[1], for example you might reject a user if their user account 
has been disabled, or if they are in the wrong group or maybe they have 
been a Bad Bad Boy(tm) :)

You might then have them marked 'disabled' in your LDAP tree however the 
EAP-TLS reauth bit never gets that far....so you end up accepting them.

Again, another reason not to do user based authorisation. :)


[1] or indirectly in the authentication section via an amended LDAP 
	filter where you only authenticate against user objects where 
	'accountdisabled=false' or something

Alexander Clouter
.sigmonster says: Your aim is high and to the right.

More information about the Freeradius-Users mailing list