different user names for the same session

Alan DeKok aland at deployingradius.com
Fri Nov 14 10:15:37 EST 2008


Jouni Malinen wrote:
> While this makes sense in general, the part of NAS having to figure out
> when "authorizations" change sounds like a somewhat unclear requirement
> since there is no clear definition on what exactly this means and how
> the NAS should determine this. Just comparing a random set of attributes
> based on what a NAS vendor might consider suitable for this is not very
> robust mechanism and will likely result in different behavior between
> NAS implementations.

  It's not the job of the NAS to make policy decisions.  Down that path
lies insanity.

> One example of changing public (i.e., EAP-Response/Identity information)
> is in EAP-SIM and EAP-AKA which support identity privacy and fast
> re-authentication in a way that changes this identity. If that mechanism
> is used and IEEE 802.1X Authenticator requests re-authentication during
> the same session, the supplicant will use the same credentials (SIM/USIM
> card), but the EAP-Response/Identity string will change.

  This is one reason the RFC's allow for User-Name in Access-Accept.
That User-Name MUST be used in the accounting packets.  This gives the
AAA server control over the key attributes used to define "sessions".

> I fail to see
> how this could be categorized as a change in authorization. As far as
> NAS is concerned, User-Name change cannot be trusted as a sign of such a
> change. Only the AS (and Supplicant) really know whether authorization
> changed.

  Yes.  The NAS should act as little more than a pass-through device.
It is impossible for the NAS to try to figure out what's 'really' going
on.  It shouldn't even try.

  Alan DeKok.


More information about the HostAP mailing list