EAP Session resumption && reply attributes
Alexander Clouter
alex at digriz.org.uk
Thu Jan 21 01:39:13 CET 2010
Arran Cudbard-Bell <arran.cudbard-bell at hp.com> wrote:
>
> On 1/17/2010 8:37 AM, Alexander Clouter wrote:
>> James J J Hooper<jjj.hooper at bristol.ac.uk> wrote:
>>
>>> In order to also return e.g. VLAN IDs (that could be computed from the
>>> inner User-Name in a non-session-resumption enabled config), I can move
>>> the config that sets the VLAN to the outer tunnel post-auth&& ensure the
>>> inner tunnel sets:
>>> reply:outer User-Name to request:inner User-Name
>>> and then key my VLAN computation (in outer post-auth) from reply:User-Name.
>>>
>> We have been doing authorisation depending on the outer layer since
>> summer.
>
> How did you get around the "my policy rejects you now, but i've already
> sent a tunneled success TLV in the TLS tunnel and you're now ignoring my
> EAP-Failure messages" issue... or are you just happily ignoring it/
> encouraging adoption of TTLS-PAP like I was? :)
>
Probably as I do not use user *authorisation*... :P
It's nuts to do user authorisation for network nodes, user authorisation
lives further up the stack and should stay in the realm of layer 5 where
it belongs. What I do though is let user authentication 'bootstrap' the
host authentication, so you think of it that "I user xyz vouch that I am
responsible for MAC address abc for the duration of my session"; with
that in mind you can forget about user authorisation...which is just a
plain nasty idea anyway.
If yer interested, you can see what I'm doing more or less:
http://stuff.digriz.org.uk/freeradius-public-20100101.tar.gz
Been a few minor changes/cleanups since though so be gentle ;)
Cheers
--
Alexander Clouter
.sigmonster says: Preserve Wildlife! Throw a party today!
More information about the Freeradius-Users
mailing list