PATCH: identity change while reauth

[Jouni Malinen]

On Thu, Jul 29, 2004 at 09:52:37AM +0200, Gunter Burchardt wrote:

> I found a problem with reauthentication. While reauthentication a user
> can answer to the identity request with an other identity as in first
> request. hostapd saves the new identity and lost the old one. As a
> result all accounting request will be send with the new identity. The
> traffic statistic is commulated with the traffic of the first identity.

Hmm.. How is the accounting session defined? hostapd is currently
mapping each IEEE 802.11 association to an accounting session. Can you
point me to a standard that defines that changing identity in EAP
authentication should be considered to always terminate the accounting
session?

> Ok, someone could say that a radius-server could reject the
> access-request from the ap with an opened session with same NAS-PORT
> but other identity, but this would be only a workaround. hostap should
> close the old session and open a new one. In this way the old session
> is closed in the right way (Accounting-Stop packet) and the user didnt
> get a reject with a valid authentication.

I would agree with the part that if this is the desired functionality,
it should be done in the Authenticator. However, is IEEE 802.11
deauthentication the correct way of doing this? One option would be to
send Accounting-Stop and still continue the new IEEE 802.1X/EAP
authentication without disassociating (and finally generate
Accounting-Start if the authentication completes successfully).

> +		/* check whether identity has changed */
> +		if (sta->acct_session_started &&
> +			((sm->identity_len != len) || 
> +			 (memcmp(sm->identity,data,
> +				(len<sm->identity_len?len:sm->identity_len)) != 0))) {

sm->identity_len == len if the memcmp() is being run, so there is no
point in verifying again whether len < sm->identity_len..

-- 
Jouni Malinen                                            PGP id EFC895FA