Dropping NAS-Port AVP from Acct-Unique-Session-Id by default

Alan DeKok aland at deployingradius.com
Fri Sep 18 15:20:13 CEST 2015

On Sep 18, 2015, at 8:30 AM, Nick Lowe <nick.lowe at gmail.com> wrote:
> Sure, but EAP session resumption taking place is not required for
> 802.1X reauth, so cannot be relied upon.

 When you say "reauth", it could mean multiple things.  Session resumption is re-authenticating the same session.

  Without session resumption, it's not "re" authentication.  It's just another authentication which HAPPENS to be from the same client and to the same AP.

  Which you can detect by looking at the accounting table, and seeing that all of the session identification information is the same.

> I'd always be loathed to use MAC addresses for anything like this as
> they're not a secure principle, not being cryptographically bound to
> anything.

  You don't have to believe the MAC address.  You CAN believe the AP IP, the AP Mac, etc.

  And you CAN believe the MAC address if it's the same as the last time. :)

  Remember, you don't just have the current authentication.  You have the accounting information from previous sessions.  So... cross-check the new session against the previous one.  If the data is the same... it's likely the same person re-authenticating.

  Alan DeKok.

More information about the Freeradius-Users mailing list