Re: [RADIATOR] EAPContext inner_identity
On 10/30/2013, Heikki Vatiainen wrote:
>> > Great, I'll get back to you when we have something to test.
> Hello David,
>
> EAP_25.pm in the current patches now sets $context->{inner_identity} as
> soon as the inner EAP figures it out.
>
> If you have time to test this, please let us know how it goes.
This looks great; thanks so much!
David
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAPContext inner_identity
On 10/11/2013 04:50 PM, Heikki Vatiainen wrote:
> Great, I'll get back to you when we have something to test.
Hello David,
EAP_25.pm in the current patches now sets $context->{inner_identity} as
soon as the inner EAP figures it out.
If you have time to test this, please let us know how it goes.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAPContext inner_identity
On 10/10/2013 12:06 AM, David Zych wrote: > That makes sense to me, and I'd be more than happy to test it on my dev > radius server (which has a dev wireless SSID pointed to it). Great, I'll get back to you when we have something to test. > Full disclosure, though: as of this moment I would have no idea how to > specifically test the effect on PEAP Fast Reconnect. (specifically, I > don't know how to make a client attempt to do a PEAP Fast Reconnect, or > to confirm afterward that it was successful -- since I assume if a PEAP > Fast Reconnect fails it will seamlessly fall back and do a regular full > authentication instead) When the client does successful fast reconnect, recent (4.11+) Radiators log this 'EAP PEAP Session resumed' when Trace is set to 4. The Windodws client offers a checkbox to turn this off, but it's very automatic and if it fails or the server is configured not to support it, the fallback is full authentication. There is no requirement it is supported by either side. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAPContext inner_identity
On Wed, 02 Oct 2013 18:21:47, Heikki Vatiainen wrote:
> It appears existence of {inner_identity} is considered also when
> deciding if the client should be allowed to do PEAP fast reconnect.
...
> I think the plan could be to introduce {inner_auth_success} and leave
> {inner_identity} just for logging and other such purposes.
>
> Would you be interested in testing this?
That makes sense to me, and I'd be more than happy to test it on my dev
radius server (which has a dev wireless SSID pointed to it).
Full disclosure, though: as of this moment I would have no idea how to
specifically test the effect on PEAP Fast Reconnect. (specifically, I
don't know how to make a client attempt to do a PEAP Fast Reconnect, or
to confirm afterward that it was successful -- since I assume if a PEAP
Fast Reconnect fails it will seamlessly fall back and do a regular full
authentication instead)
Thanks,
David
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAPContext inner_identity
On 10/01/2013 03:21 AM, David Zych wrote:
> However, EAP_25 (PEAP) only sets $context->{inner_identity} in
> replyFn after the inner authentication succeeds. In order for it to
> be available in case of reject, I'm experimenting with using a second
> PostAuthHook on the inner handler to _set_
> {outerRequest}->{EAPContext}->{inner_identity}. This seems to work
> in my testing so far, but I'm worried that it might have unintended
> consequences.
It appears existence of {inner_identity} is considered also when
deciding if the client should be allowed to do PEAP fast reconnect.
> I was wondering: is there an important reason that EAP_25 does *not*
> set $context->{inner_identity} as soon as the identity is available
> (or at least also in the reject case of replyFn)?
inner_identity can be set earlier too but in this case EAP_25 should
also set something like {inner_auth_success} EAP_21 does and use that
with fast reconnect check.
> If yes, there's something going on that I don't understand, in which
> case setting it myself via PostAuthHook could cause problems and I
> should consider altering my plan. If no, then my plan is sound, but
> setting it in EAP_25 would be even better and save me a PostAuthHook.
> :)
I think the plan could be to introduce {inner_auth_success} and leave
{inner_identity} just for logging and other such purposes.
Would you be interested in testing this?
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
