Question about EAP-TTLS session resumption

Mon Apr 29 16:51:20 CEST 2013

Thanks again for the confirmation, Alan. 

:-)

Stefan

-----Original Message-----
From: freeradius-users-bounces+stefan.paetow=diamond.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac.uk at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: 29 April 2013 15:35
To: FreeRadius users mailing list
Subject: Re: Question about EAP-TTLS session resumption

stefan.paetow at diamond.ac.uk wrote:
> However, when you go to the bottom of the output, where the request for user 'steve' (who is a valid user, and for whom a correct password was supplied) is sent, the request fails. The session for 'steve' is partial and stops prematurely, which leads me to believe that the EAP-TTLS client (the JRadius EAPTTLSAuthenticator bean) is not complying with the RFC, i.e. restart the EAP session, negotiate a fresh tunnel, and then attempt to authenticate the valid user 'steve' with the given password.

  Except it's not a request for "steve":

	User-Name = "steve"
	EAP-Message = 0x0200000801626f62

  The EAP-Message says that the EAP Identity is for user "bob".

  The EAP client you're using is broken.  Fix that before you try anything else.

> Based on the debug output, it appears that the client simply re-uses 
> the existing tunnel, which, according to the RFC and your 
> confirmation, is not correct. So thanks for confirming that part of 
> the theory. :-)

  Likely, yes.

> To prove that, I've just had a bit more of a play-around with the Java webapp, and when we restart it between authentication requests, the correct process is followed, i.e. establish an EAP session, negotiate a tunnel, attempt authentication, and every session is complete. I'll have a word with David over at Coova about the bean in question.

  Sounds like a plan.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. 
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom