On 30.11.2016 16.27, Hartmaier Alexander wrote:

we have random EAP authentication errors since the upgrade to 4.17.
I figured it might have something to do with the EAP session resumption
changes in 4.17.

For tweaking resumption behaviour, can you try adding the parameter shown below to EAPTLS_ settings?

I have been looking at this, and my suspicion is that when Windows has been configured to try both machine and username authentication, it uses the same TLS session for the both. This may cause confusion for it when a session resumption succeeds as machine while the session was first successful for username authentication. What Radiator sees is a successful resumption and proceeds as usually.

In 4.17 you can further restrict the context for which the resumption is considered. So please add the original username to the context to use host/ prefix for creating a separate context for machine vs username authentication.

EAPTLS_SessionContextId %u%1

The above adds original User-Name to the resumption context which will create separate resumption context when the username changes.

This parameter goes to AuthBy that handles the outer EAP authentication (certicates, etc.).

For more:
https://open.com.au/radiator/ref/EAPTLS_SessionContextId_AuthByxxxxxx.html

Thanks,
Heikki


--
Heikki Vatiainen <h...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to