EAP-PEAP issues with session resumption disabled

Alan DeKok aland at deployingradius.com
Wed Feb 18 12:39:12 CET 2009

Jouni Malinen wrote:
> It looks like FreeRADIUS is currently checking whether session
> resumption is enabled very late during EAP-PEAP negotiation. Even the
> protected result indication for success is completed before FreeRADIUS
> does this and sends EAP-Failure. However, at that point the client is
> going to discard the EAP-Failure since the only allowed message after
> successfully completed result indication is EAP-Success.

  Yes.. that's awkward.

> Would it be possible to move the session resumption enabled/disabled
> check to be done much earlier during the process?

  Sure, but it may take a month or so for the fix to go in.

> Ideally, this would be
> done when processing the TLS ClientHello so that server could just fall
> back to using full authentication without causing authentication
> problems. 

  Yeah, that would be best.

  Alan DeKok.

More information about the Freeradius-Devel mailing list