EAP-PEAP issues with session resumption disabled
Alan DeKok
aland at deployingradius.com
Wed Feb 18 12:39:12 CET 2009
Jouni Malinen wrote:
> It looks like FreeRADIUS is currently checking whether session
> resumption is enabled very late during EAP-PEAP negotiation. Even the
> protected result indication for success is completed before FreeRADIUS
> does this and sends EAP-Failure. However, at that point the client is
> going to discard the EAP-Failure since the only allowed message after
> successfully completed result indication is EAP-Success.
Yes.. that's awkward.
> Would it be possible to move the session resumption enabled/disabled
> check to be done much earlier during the process?
Sure, but it may take a month or so for the fix to go in.
> Ideally, this would be
> done when processing the TLS ClientHello so that server could just fall
> back to using full authentication without causing authentication
> problems.
Yeah, that would be best.
Alan DeKok.
More information about the Freeradius-Devel
mailing list