EAP-TLS and PEAP redundancy options

Alan DeKok aland at deployingradius.com
Mon Dec 3 20:50:28 CET 2007

John Paul wrote:
> The issue is that if a machine is authenticated and the server that
> did the authentication is down, the switch will contact the other server
> and the EAP conversation will fail, causing authentication to fail.
> Research indicates that this is because the client and server have
> agreed upon session specific symmetric keys that the new server does not
> know about.

  I don't think it's because of the establishment of symmetric session
keys.  Once a user has been authenticated, the *next* authentication
session is completely independent.

  I think it's that if fail-over happens in the *middle* of an EAP
authentication, the new server won't have been participating in the TLS
setup.  Therefore, it doesn't know about the EAP conversation, and it
rejects the session.

> Is there a way to tell FreeRadius to tear down the session
> once the user has been authenticated so that the next authentication
> will work if using a different server? If not, is anyone working on a
> patch or other change to enable this? I'll be happy to write the patch
> but am unfamiliar with the code. Can you tell me roughly where to look?

  Please check first that the server isn't establishing session keys.
Since FreeRADIUS doesn't do fast session resumption, I have no idea how
"session specific symmetric keys" could affect anything.

  i.e. authentication one user via EAP.  Stop ALL other authentications.
 Turn off one RADIUS server, so it fails over to the other.  Try to
re-authenticate that one user.

  The user *should* be authenticated.

  Alan DeKok.

More information about the Freeradius-Users mailing list