EAP Session resumption && reply attributes
James J J Hooper
jjj.hooper at bristol.ac.uk
Thu Jan 21 11:36:04 CET 2010
--On Thursday, January 21, 2010 10:05:36 AM +0000 Alexander Clouter
<alex at digriz.org.uk> wrote:
> James J J Hooper <jjj.hooper at bristol.ac.uk> wrote:
> <
>>> How did you get around the "my policy rejects you now, but i've already
>>> sent a tunneled success TLV in the TLS tunnel and you're now ignoring my
>>> EAP-Failure messages" issue... or are you just happily ignoring it/
>>> encouraging adoption of TTLS-PAP like I was? :)
>>
>> Our setup never changes its mind :-) Any valid credentials always get a
>> connection. ...only whether that connection is Internet/port
>> limited/captive redirect to web message server changes.
>>
> Arran is probably referring to that with EAP TLS reauth you are actually
> using the authentication (and possibly authorisation) credentials from
> a previous session that can even be a few days prior.
>
> You might decide to do some user focused authorisation in the post-auth
> section[1], for example you might reject a user if their user account
> has been disabled, or if they are in the wrong group or maybe they have
> been a Bad Bad Boy(tm) :)
>
> You might then have them marked 'disabled' in your LDAP tree however the
> EAP-TLS reauth bit never gets that far....so you end up accepting them.
That's precisely what I meant, although I didn't explain it. If the
credentials where initially valid, for the life of the connecting device
being able to resume it's session, we always send back an Access-Accept
(even if their account is now "disabled"). We then outer post-post auth to
put them in a suitable network. (i.e. Naughty users get a only a WRD to say
so.)
-James
--
James J J Hooper
Network Specialist
Information Services
University of Bristol
+44 (0)117 331 7080 (17080 internal)
--
More information about the Freeradius-Users
mailing list