Dropping NAS-Port AVP from Acct-Unique-Session-Id by default
Alan DeKok
aland at deployingradius.com
Fri Sep 18 15:20:13 CEST 2015
On Sep 18, 2015, at 8:30 AM, Nick Lowe <nick.lowe at gmail.com> wrote:
> Sure, but EAP session resumption taking place is not required for
> 802.1X reauth, so cannot be relied upon.
When you say "reauth", it could mean multiple things. Session resumption is re-authenticating the same session.
Without session resumption, it's not "re" authentication. It's just another authentication which HAPPENS to be from the same client and to the same AP.
Which you can detect by looking at the accounting table, and seeing that all of the session identification information is the same.
> I'd always be loathed to use MAC addresses for anything like this as
> they're not a secure principle, not being cryptographically bound to
> anything.
You don't have to believe the MAC address. You CAN believe the AP IP, the AP Mac, etc.
And you CAN believe the MAC address if it's the same as the last time. :)
Remember, you don't just have the current authentication. You have the accounting information from previous sessions. So... cross-check the new session against the previous one. If the data is the same... it's likely the same person re-authenticating.
Alan DeKok.
More information about the Freeradius-Users
mailing list