Jouni Malinen wrote:
It looks like FreeRADIUS is currently checking whether session resumption is enabled very late during EAP-PEAP negotiation. Even the protected result indication for success is completed before FreeRADIUS does this and sends EAP-Failure. However, at that point the client is going to discard the EAP-Failure since the only allowed message after successfully completed result indication is EAP-Success.
Yes.. that's awkward.
Would it be possible to move the session resumption enabled/disabled check to be done much earlier during the process?
Sure, but it may take a month or so for the fix to go in.
Ideally, this would be done when processing the TLS ClientHello so that server could just fall back to using full authentication without causing authentication problems.
Yeah, that would be best. Alan DeKok.