I thought I read a mail on this list claiming that a patch was available to support Fast Roaming, but this had not yet been integrated. Is this correct? josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
Hi,
I thought I read a mail on this list claiming that a patch was available to support Fast Roaming, but this had not yet been integrated. Is this correct?
you are correct - there was a patch submitted - however a request was made for it to be rewritten to match the FR writing style. never rematerialised - but i think it was posted as a bug entry if someone has some editing time. alan
A.L.M.Buxey@lboro.ac.uk wrote:
you are correct - there was a patch submitted - however a request was made for it to be rewritten to match the FR writing style. never rematerialised - but i think it was posted as a bug entry if someone has some editing time.
I started committing portions of it... which broke PEAP. The bug is still open, if someone can do more testing against CVS head. Alan DeKok.
Alan DeKok wrote:
A.L.M.Buxey@lboro.ac.uk wrote:
you are correct - there was a patch submitted - however a request was made for it to be rewritten to match the FR writing style. never rematerialised - but i think it was posted as a bug entry if someone has some editing time.
I started committing portions of it... which broke PEAP.
The bug is still open, if someone can do more testing against CVS head.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
Are you talking about fast roaming as in WPA 2 Pre-Authentication fast roaming ? If so I could help out with testing; I'm very keen to get this working here with ever rising numbers of Wifi VOIP handsets appearing on campus. Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
Arran Cudbard-Bell wrote:
Are you talking about fast roaming as in WPA 2 Pre-Authentication fast roaming ?
No. Fast session resumption for EAP-TLS methods (PEAP, TTLS, etc.)
If so I could help out with testing; I'm very keen to get this working here with ever rising numbers of Wifi VOIP handsets appearing on campus.
What are the RADIUS requirements here? Alan DeKok.
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Are you talking about fast roaming as in WPA 2 Pre-Authentication fast roaming ?
No. Fast session resumption for EAP-TLS methods (PEAP, TTLS, etc.)
I imagined that would be part of it, but possibly not after reading: http://technet.microsoft.com/en-us/library/bb878054.aspx That suggests that the client authenticates to other access points in the area, and caches the PMK information thus generating multiple authentication sessions; instead of resuming the same session (which is what I had assumed) using fast session resumption. It's damn hard to find any solid technical information, it looks like you have to have "Adopter Membership" ($5000 per anum) with the wifi alliance before you can access anything resembling an RFC.
If so I could help out with testing; I'm very keen to get this working here with ever rising numbers of Wifi VOIP handsets appearing on campus.
What are the RADIUS requirements here?
TBH i'm not sure if there are any, if anyone could shed some light on this I would be most greatfull.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
Session resumption is quite different from Opportunistic PMK caching ("Fast roaming"). The first is a property of some TLS-based EAP methods that take advantage of the 'session resumption' feature in the TLS Handshake. Windows and PEAP calls this 'Fast reconnect'. TTLS calls it the proper name. It only involves exchanging a couple of TLS Handshake messages, hence 'Fast'. Most importantly, there are no changes to the wire protocols. The second, which is part of 802.11r, is the opposite. It doesn't change how EAP works, but it does change (slightly) how things work on the wire. I won't go into the details, the spec is available from IEEE. I'm talking about 'Session resumption', because that's what Windows supports :-) I don't think that there are any special RADIUS considerations. Section 7.5 of draft-funk-eap-ttls-v0 is a good description of how it works, from an implementor's PoV; it's a bit clearer than the equivalent section in the PEAP spec. Note that the RADIUS server needs to cache the MSK derived from the original TLS exchange; I am curious how the patch that got submitted handled this... josh.
-----Original Message----- From: freeradius-devel-bounces+josh.howlett=ja.net@lists.freeradius. org [mailto:freeradius-devel-bounces+josh.howlett=ja.net@lists.fre eradius.org] On Behalf Of Arran Cudbard-Bell Sent: 07 January 2008 15:41 To: FreeRadius developers mailing list Subject: Re: Fast roaming support
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Are you talking about fast roaming as in WPA 2 Pre-Authentication fast roaming ?
No. Fast session resumption for EAP-TLS methods (PEAP, TTLS, etc.)
I imagined that would be part of it, but possibly not after reading:
http://technet.microsoft.com/en-us/library/bb878054.aspx
That suggests that the client authenticates to other access points in the area, and caches the PMK information thus generating multiple authentication sessions; instead of resuming the same session (which is what I had assumed) using fast session resumption.
It's damn hard to find any solid technical information, it looks like you have to have "Adopter Membership" ($5000 per anum) with the wifi alliance before you can access anything resembling an RFC.
If so I could help out with testing; I'm very keen to get this working here with ever rising numbers of Wifi VOIP handsets appearing on campus.
What are the RADIUS requirements here?
TBH i'm not sure if there are any, if anyone could shed some light on this I would be most greatfull.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
Note that the RADIUS server needs to cache the MSK derived from the original TLS exchange; I am curious how the patch that got submitted handled this...
It sets a flag in OpenSSL telling OpenSSL to cache the SSL session contexts. :)
Ah, of course. FWIW, TTLSv0 has this to say about that: [Implementation note: Toolkits that implement TLS often cache resumable TLS sessions automatically. Implementers must take care to override such automatic behavior, and prevent sessions from being cached for possible resumption until the user has been positively authenticated during phase 2.] josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
Josh Howlett wrote:
Ah, of course. FWIW, TTLSv0 has this to say about that:
[Implementation note: Toolkits that implement TLS often cache resumable TLS sessions automatically. Implementers must take care to override such automatic behavior, and prevent sessions from being cached for possible resumption until the user has been positively authenticated during phase 2.]
Yes. I'll have to check if the patch does that. Alan DeKok.
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Josh Howlett