hostapd + freeradius + windows users problem
Jouni Malinen
jkmalinen at gmail.com
Fri Nov 14 16:09:05 CET 2008
On Fri, Nov 14, 2008 at 1:41 AM, <tnt at kalik.net> wrote:
> b. The authorizations are changed as a result of a successful
> re-authentication. In this case, the Service Unavailable (15)
> termination cause is used. For accounting purposes, the portion
> of the session after the authorization change is treated as a
> separate session.
>
> It would be quite reasonable to interpret change of user credentials as
> change of authorization.
It may look like that in some cases, but I do not think that this
would be a generic solution. NAS does not simply have enough
information to figure out when "authorization" changes (whatever that
exactly means). One example of a changing public (i.e., visible to
NAS) user identity is in EAP-SIM and EAP-AKA which support identity
privacy and fast re-authentication using a temporary identity that is
sent in EAP-Response/Identity. If IEEE 802.1X Authenticator triggers
reauthentication during the same 802.11 association, the User-Name
attribute will change even though the real credentials (SIM/USIM)
remains the same. NAS has no way of knowing this; only AS and
Supplicant know how to map the temporary identity to the permanent
identity for the same credential.
- Jouni
More information about the Freeradius-Users
mailing list