EAP Session resumption && reply attributes
James J J Hooper
jjj.hooper at bristol.ac.uk
Thu Jan 21 09:33:07 CET 2010
On 20/01/2010 23:36, Arran Cudbard-Bell wrote:
> On 1/17/2010 8:37 AM, Alexander Clouter wrote:
>> James J J Hooper<jjj.hooper at bristol.ac.uk> wrote:
>>> In order to also return e.g. VLAN IDs (that could be computed from the
>>> inner User-Name in a non-session-resumption enabled config), I can move
>>> the config that sets the VLAN to the outer tunnel post-auth&& ensure the
>>> inner tunnel sets:
>>> reply:outer User-Name to request:inner User-Name
>>> and then key my VLAN computation (in outer post-auth) from
>>> reply:User-Name.
>>>
>> We have been doing authorisation depending on the outer layer since
>> summer.
>
> How did you get around the "my policy rejects you now, but i've already
> sent a tunneled success TLV in the TLS tunnel and you're now ignoring my
> EAP-Failure messages" issue... or are you just happily ignoring it/
> encouraging adoption of TTLS-PAP like I was? :)
>
> -Arran
Our setup never changes its mind :-) Any valid credentials always get a
connection. ...only whether that connection is Internet/port
limited/captive redirect to web message server changes.
This also avoids the 'wireless doesn't accept my password' queries at the
helpdesk (which end up with the user messing around and perhaps turning
off certificate validation to see if that "fixes it" etc). Instead
facebook.com returns "you're a virus infected monster - use a different PC
to read your email. We've sent you instructions" etc.
-James
More information about the Freeradius-Users
mailing list