different user names for the same session

Jouni Malinen j at w1.fi
Fri Nov 14 10:01:57 EST 2008


On Fri, Nov 14, 2008 at 02:12:23PM +0900, Saber Zrelli wrote:

> RFC 3580 also says :
> 
>       accounting packets are not sent as a result of
>       re-authentication unless the status of the session changes.  For
>       example:
> 
>    [...]
> 
>       The authorizations are changed as a result of a successful
>       re-authentication.  In this case, the Service Unavailable (15)
>       termination cause is used.  For accounting purposes, the portion
>       of the session after the authorization change is treated as a
>       separate session.
> 
> When the peer re-authenticates successfully using a new Identity, IMHO
> that means that the new identity was authorized to access the network.
> Probably, new QoS parameters are also set for the session after
> re-authentication with the new identity. For this reason, IMHO, it
> makes sense to terminate the ongoing accounting session and start a
> new one.

While this makes sense in general, the part of NAS having to figure out
when "authorizations" change sounds like a somewhat unclear requirement
since there is no clear definition on what exactly this means and how
the NAS should determine this. Just comparing a random set of attributes
based on what a NAS vendor might consider suitable for this is not very
robust mechanism and will likely result in different behavior between
NAS implementations.

I could consider things like VLAN id (e.g., Tunnel-Private-Group-ID
attribute) as an authorization change, but NAS does not use User-Name in
anything else than include it in accounting packets or some log
messages. As such, it does not change the access limitations for the
session in any way. Sure, it can indicate a change in credentials in
some, but not all, cases, but whether that really is a "authorization"
change is another question.

One example of changing public (i.e., EAP-Response/Identity information)
is in EAP-SIM and EAP-AKA which support identity privacy and fast
re-authentication in a way that changes this identity. If that mechanism
is used and IEEE 802.1X Authenticator requests re-authentication during
the same session, the supplicant will use the same credentials (SIM/USIM
card), but the EAP-Response/Identity string will change. I fail to see
how this could be categorized as a change in authorization. As far as
NAS is concerned, User-Name change cannot be trusted as a sign of such a
change. Only the AS (and Supplicant) really know whether authorization
changed.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list