EAP-TLS and PEAP redundancy options

Alan DeKok aland at deployingradius.com
Tue Dec 4 16:36:53 CET 2007

John Paul wrote:
> When I tested this the first time, authentications to server 1 worked
> and to server 2 did not. When I couldn't figure it out, I turned the
> test machines off and left for the day. The next day I had server 1
> turned off - I turned the test machines on and authentications to
> server 2 worked fine, but would not work on server 1 once I powered
> it on. The common denominator here was that authentications work
> against the first server it tries but not any others. That's why I
> postulated that there must be some sort of session resumption going on.

  FreeRADIUS does not do session resumption.  If the supplicant tries to
do session resumption, I don't know what will happen.  You should ensure
that the supplicant has session resumption disabled.

> Was a shot in the dark based on some googling I had done awhile back. I
> assumed FreeRadius and Windows were agreeing on some sort of "fast session
> resumption" that would include symmetric encryption keys.

  Windows may support session resumption.  FreeRADIUS does not.

  There are patches to enable this, but they have not, as yet, been
integrated.  In any case, they won't help you to fail over from one
server to another.

  If the Windows client has session resumption enable, *should* notice
that session resumption has failed, and re-authenticate from scratch.

  I suspect that the issue is "fast session resumption" on the Windows
box.  Turn it off.

  If that doesn't fix it, the Windows client is broken.  Try another one.

  Alan DeKok.

More information about the Freeradius-Users mailing list