different user names for the same session

Alan DeKok aland at deployingradius.com
Thu Nov 13 17:05:37 EST 2008


Jouni Malinen wrote:
> Here the client (Supplicant) requested new authentication; no
> EAPOL-Logoff for the previous session was shown in the log.
> 
>> 1226549709.255657: wlan0: STA 00:60:b3:fe:3e:57 IEEE 802.1X: STA identity 'host/filteria'
> 
> And the supplicant used the machine identity this time. However, since
> there was no re-association or EAPOL-Logoff for the previous session,
> this is still consider to be part of the previous session by hostapd.

  But... there's no "re-authentication" in RADIUS.  Unless there is a
State attribute that ties an Access-Accept to a previous session, the
two sessions are completely unrelated.

  If you choose to re-authenticate before your earlier session expires,
that's nice.  But it's semantically the same as dialing in on a
*different* line, and then hanging up on the first one.

  IMHO, the only way the two sessions can be the "same" is if the RADIUS
server returns the first Acct-Session-Id in the second Access-Accept.
This tells the NAS to re-use that Acct-Session-Id for the second
session.  If this doesn't happen, then the NAS *should* invent a new
Acct-Session-Id.

  Alan DeKok.



More information about the HostAP mailing list