On Sep 18, 2015, at 8:30 AM, Nick Lowe <nick.lowe@gmail.com> wrote:
Sure, but EAP session resumption taking place is not required for 802.1X reauth, so cannot be relied upon.
When you say "reauth", it could mean multiple things. Session resumption is re-authenticating the same session. Without session resumption, it's not "re" authentication. It's just another authentication which HAPPENS to be from the same client and to the same AP. Which you can detect by looking at the accounting table, and seeing that all of the session identification information is the same.
I'd always be loathed to use MAC addresses for anything like this as they're not a secure principle, not being cryptographically bound to anything.
You don't have to believe the MAC address. You CAN believe the AP IP, the AP Mac, etc. And you CAN believe the MAC address if it's the same as the last time. :) Remember, you don't just have the current authentication. You have the accounting information from previous sessions. So... cross-check the new session against the previous one. If the data is the same... it's likely the same person re-authenticating. Alan DeKok.