Freeradius 2 , TTLS/PAP, multiples questions

Jérôme BERTHIER jerome.berthier at inria.fr
Fri Apr 17 15:56:35 CEST 2009


Alan DeKok a écrit :
> Jérôme BERTHIER wrote:
>   
>> I'm trying to configure Freeradius 2 to implement EAP/TTLS-PAP
>> authentication method on my Cisco AP1242. It works but I'd like some
>> precisions to get configuration files as small as possible.
>>     
>
>   Why?  It's not like there are any CPU / memory / disk issues with
> having the files 10K larger than their "optimal" size.
>
>   
Files could be read more easily. :-)
>> First, what's the right way to implement check for Simultaneous-Use ?
>> For cisco nas type, Freeradius seems to use snmp check but where should
>> I configure SNMP read community in order to make it possible ?
>>     
>
>   In the checkrad script.
>   
OK
>   
>> Then, during EAP process, is it possible to check if inner identity
>> equal outer identity and if not to reject request ?
>>     
>
>   Yes.  See "man unlang".  You can check inner/outer attributes.
>   
OK I'm going to read this man page.
>> Finally, I've got problem with NetworkManager under Fedora 9 (not tested
>> on other distribution). If Session resumption / fast reauthentication
>> cache  is not enabled, clients can't reassociate and ask for session
>> resumption again. Is there a workaround ?
>>     
>
>   What does that mean?  "if session resumption isn't enabled, clients
> ask for session resumption" ?
>   
Sorry. It means that when the NAS asks for reauthentification (after 
reauth-period timeout has expired), clients won't stop trying to 
re-connect using session resumption option again and again....
Here, an extract from freeradius debug :
[ttls] eaptls_process returned 3
[ttls] Skipping Phase2 due to session resumption
[ttls] FAIL: Forcibly stopping session resumption as it is not allowed.

This problem is not present on Windows SecureW2 client cause fast 
reauthentification is an option. On NetworkManager, I don't find any 
similar option.

Thanks

-- 
Jérôme BERTHIER
INRIA Bordeaux - Sud-Ouest
Service des Moyens Informatiques
05 24 57 40 50


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4304 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090417/0b607004/attachment.bin>


More information about the Freeradius-Users mailing list