Session resumption is quite different from Opportunistic PMK caching ("Fast roaming"). The first is a property of some TLS-based EAP methods that take advantage of the 'session resumption' feature in the TLS Handshake. Windows and PEAP calls this 'Fast reconnect'. TTLS calls it the proper name. It only involves exchanging a couple of TLS Handshake messages, hence 'Fast'. Most importantly, there are no changes to the wire protocols. The second, which is part of 802.11r, is the opposite. It doesn't change how EAP works, but it does change (slightly) how things work on the wire. I won't go into the details, the spec is available from IEEE. I'm talking about 'Session resumption', because that's what Windows supports :-) I don't think that there are any special RADIUS considerations. Section 7.5 of draft-funk-eap-ttls-v0 is a good description of how it works, from an implementor's PoV; it's a bit clearer than the equivalent section in the PEAP spec. Note that the RADIUS server needs to cache the MSK derived from the original TLS exchange; I am curious how the patch that got submitted handled this... josh.
-----Original Message----- From: freeradius-devel-bounces+josh.howlett=ja.net@lists.freeradius. org [mailto:freeradius-devel-bounces+josh.howlett=ja.net@lists.fre eradius.org] On Behalf Of Arran Cudbard-Bell Sent: 07 January 2008 15:41 To: FreeRadius developers mailing list Subject: Re: Fast roaming support
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Are you talking about fast roaming as in WPA 2 Pre-Authentication fast roaming ?
No. Fast session resumption for EAP-TLS methods (PEAP, TTLS, etc.)
I imagined that would be part of it, but possibly not after reading:
http://technet.microsoft.com/en-us/library/bb878054.aspx
That suggests that the client authenticates to other access points in the area, and caches the PMK information thus generating multiple authentication sessions; instead of resuming the same session (which is what I had assumed) using fast session resumption.
It's damn hard to find any solid technical information, it looks like you have to have "Adopter Membership" ($5000 per anum) with the wifi alliance before you can access anything resembling an RFC.
If so I could help out with testing; I'm very keen to get this working here with ever rising numbers of Wifi VOIP handsets appearing on campus.
What are the RADIUS requirements here?
TBH i'm not sure if there are any, if anyone could shed some light on this I would be most greatfull.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG