Question about EAP-TTLS session resumption
Alan DeKok
aland at deployingradius.com
Mon Apr 29 16:34:55 CEST 2013
stefan.paetow at diamond.ac.uk wrote:
> However, when you go to the bottom of the output, where the request for user 'steve' (who is a valid user, and for whom a correct password was supplied) is sent, the request fails. The session for 'steve' is partial and stops prematurely, which leads me to believe that the EAP-TTLS client (the JRadius EAPTTLSAuthenticator bean) is not complying with the RFC, i.e. restart the EAP session, negotiate a fresh tunnel, and then attempt to authenticate the valid user 'steve' with the given password.
Except it's not a request for "steve":
User-Name = "steve"
EAP-Message = 0x0200000801626f62
The EAP-Message says that the EAP Identity is for user "bob".
The EAP client you're using is broken. Fix that before you try
anything else.
> Based on the debug output, it appears that the client simply re-uses the existing tunnel, which, according to the RFC and your confirmation, is not correct. So thanks for confirming that part of the theory. :-)
Likely, yes.
> To prove that, I've just had a bit more of a play-around with the Java webapp, and when we restart it between authentication requests, the correct process is followed, i.e. establish an EAP session, negotiate a tunnel, attempt authentication, and every session is complete. I'll have a word with David over at Coova about the bean in question.
Sounds like a plan.
Alan DeKok.
More information about the Freeradius-Users
mailing list