Re: Proxied EAP authentication
My thesi is the implementation for a proposed framework of lightweight WLAN Roaming. So we are trying to reduce the number of messages so as to provide faster roaming. They have given me a diagram with the exchange of messages which i must implement. The diagram is like the one in RFCs(which decribes authentication with EAP) but some messages are passed to home server from foreign server(proxy) and are identical with these that are passed from access point to proxy server(in normal procedure). In this diagram there arent any State or Proxy-State attributes. Its possible that i may have to modify the procedure of radius protocol, but i am not sure if the protocol can work without the exchange of State and Proxy-Sate attributes. As far i have seen these 2 attributes dont affect EAP protocol .Is that correct? Thanks From: Alan DeKok [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Proxied EAP authentication Date: Tue, 16 Nov 2004 17:25:06 -0500 jh vg [EMAIL PROTECTED] wrote: I am working my university thesis using Freeradius. Its about WLAN Roaming. We want to reduce the messages that are sent during an EAP authentication between the foreign and home server( so we use proxy ). I'm not sure that's possible. No matter how i have searched i cannt find an rfc describing the sequence of messages between 2 servers (i looked at RFC 3579,3580 and generally all RFCs in radius docs). T2a RADIUS server which passes requests to a RADIUS client. proxy +---+ client | server client | server +---+ A proxy acts like a server to it's clients, and as a client to it's servers. There is no extra document needed because the documents already describe how clients and servers interact. So the question is are there any RFC decribing the procedure? I would also like to know if i can alter freeradius source code so as to cut some attributes it sents. These attributes are probably State and Proxy-State. Uh... why? Those attributes have very well-defined meanings. They're needed. If you don't have them, EAP RADIUS stop working. Read the RFC's to see why. Perhaps you could say WHY you're trying to reduce the messages. Is it the number of messages? The size? I don't think you'll be able to reduce either unless you define your own version of EAP RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxied EAP authentication
It is possible to reduce the number of messages for reauthentication by implementing what is variously known as Fast Roaming, Fast Reauthentication and Session Resumption. This doesn't have any impact on the initial authentication exchange. However, once both parties (supplicant and authenticator) know the master password, then the fact that each party knows the master password is considered sufficient to authenticate the supplicant and authenticator to each other. Generally, this is only applied for a fixed period/fixed number of reauthentications before a complete reauthentication involving the RADIUS server is required. IIUC, FreeRADIUS implements this in the EAP-TLS module that is used by EAP-TTLS and PEAP so probably Session Resumption will be supported in those EAP types at the minimum. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of jh vg Sent: 17 November 2004 11:40 To: [EMAIL PROTECTED] Subject: Re: Proxied EAP authentication My thesi is the implementation for a proposed framework of lightweight WLAN Roaming. So we are trying to reduce the number of messages so as to provide faster roaming. They have given me a diagram with the exchange of messages which i must implement. The diagram is like the one in RFCs(which decribes authentication with EAP) but some messages are passed to home server from foreign server(proxy) and are identical with these that are passed from access point to proxy server(in normal procedure). In this diagram there arent any State or Proxy-State attributes. Its possible that i may have to modify the procedure of radius protocol, but i am not sure if the protocol can work without the exchange of State and Proxy-Sate attributes. As far i have seen these 2 attributes dont affect EAP protocol .Is that correct? Thanks From: Alan DeKok [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Proxied EAP authentication Date: Tue, 16 Nov 2004 17:25:06 -0500 jh vg [EMAIL PROTECTED] wrote: I am working my university thesis using Freeradius. Its about WLAN Roaming. We want to reduce the messages that are sent during an EAP authentication between the foreign and home server( so we use proxy ). I'm not sure that's possible. No matter how i have searched i cannt find an rfc describing the sequence of messages between 2 servers (i looked at RFC 3579,3580 and generally all RFCs in radius docs). T2a RADIUS server which passes requests to a RADIUS client. proxy +---+ client | server client | server +---+ A proxy acts like a server to it's clients, and as a client to it's servers. There is no extra document needed because the documents already describe how clients and servers interact. So the question is are there any RFC decribing the procedure? I would also like to know if i can alter freeradius source code so as to cut some attributes it sents. These attributes are probably State and Proxy-State. Uh... why? Those attributes have very well-defined meanings. They're needed. If you don't have them, EAP RADIUS stop working. Read the RFC's to see why. Perhaps you could say WHY you're trying to reduce the messages. Is it the number of messages? The size? I don't think you'll be able to reduce either unless you define your own version of EAP RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxied EAP authentication
jh vg [EMAIL PROTECTED] wrote: My thesi is the implementation for a proposed framework of lightweight WLAN Roaming. So we are trying to reduce the number of messages so as to provide faster roaming. They have given me a diagram with the exchange of messages which i must implement. Are you implementing an existing protocol? If so, you must follow the protocol spec, in order to be inter-operable with other implementations. This means that you must implement the number, and order of messages as defined in the spec. The end result is that you can't reduce the number of messages. The diagram is like the one in RFCs(which decribes authentication with EAP) but some messages are passed to home server from foreign server(proxy) and are identical with these that are passed from access point to proxy server(in normal procedure). Yes, that's called proxying. In this diagram there arent any State or Proxy-State attributes. Then the diagram is wrong. End of story. Its possible that i may have to modify the procedure of radius protocol, but i am not sure if the protocol can work without the exchange of State and Proxy-Sate attributes. It can't. As far i have seen these 2 attributes dont affect EAP protocol .Is that correct? If you're doing proxying, you're required to use Proxy-State. If you're using EAP, you're required to use State. The diagram is wrong. What you are trying to do is impossible. It's impossible because if you remove State Proxy-State, then what you're trying to do won't work. I suggest finding out why the diagram is wrong, and who created it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxied EAP authentication
Guy Davies [EMAIL PROTECTED] wrote: IIUC, FreeRADIUS implements this in the EAP-TLS module that is used by EAP-TTLS and PEAP so probably Session Resumption will be supported in those EAP types at the minimum. FreeRADIUS doesn't implement fast reconnect for session resumption. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxied EAP authentication
Hi I am working my university thesis using Freeradius. Its about WLAN Roaming. We want to reduce the messages that are sent during an EAP authentication between the foreign and home server( so we use proxy ). No matter how i have searched i cannt find an rfc describing the sequence of messages between 2 servers (i looked at RFC 3579,3580 and generally all RFCs in radius docs). So the question is are there any RFC decribing the procedure? I would also like to know if i can alter freeradius source code so as to cut some attributes it sents. These attributes are probably State and Proxy-State. Thanks _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxied EAP authentication
jh vg [EMAIL PROTECTED] wrote: I am working my university thesis using Freeradius. Its about WLAN Roaming. We want to reduce the messages that are sent during an EAP authentication between the foreign and home server( so we use proxy ). I'm not sure that's possible. No matter how i have searched i cannt find an rfc describing the sequence of messages between 2 servers (i looked at RFC 3579,3580 and generally all RFCs in radius docs). There is no such document. RADIUS proxies are nothing more than a RADIUS server which passes requests to a RADIUS client. proxy +---+ client | server client | server +---+ A proxy acts like a server to it's clients, and as a client to it's servers. There is no extra document needed because the documents already describe how clients and servers interact. So the question is are there any RFC decribing the procedure? I would also like to know if i can alter freeradius source code so as to cut some attributes it sents. These attributes are probably State and Proxy-State. Uh... why? Those attributes have very well-defined meanings. They're needed. If you don't have them, EAP RADIUS stop working. Read the RFC's to see why. Perhaps you could say WHY you're trying to reduce the messages. Is it the number of messages? The size? I don't think you'll be able to reduce either unless you define your own version of EAP RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html