different user names for the same session
Alan DeKok
aland
Thu Nov 13 14:05:37 PST 2008
Jouni Malinen wrote:
> Here the client (Supplicant) requested new authentication; no
> EAPOL-Logoff for the previous session was shown in the log.
>
>> 1226549709.255657: wlan0: STA 00:60:b3:fe:3e:57 IEEE 802.1X: STA identity 'host/filteria'
>
> And the supplicant used the machine identity this time. However, since
> there was no re-association or EAPOL-Logoff for the previous session,
> this is still consider to be part of the previous session by hostapd.
But... there's no "re-authentication" in RADIUS. Unless there is a
State attribute that ties an Access-Accept to a previous session, the
two sessions are completely unrelated.
If you choose to re-authenticate before your earlier session expires,
that's nice. But it's semantically the same as dialing in on a
*different* line, and then hanging up on the first one.
IMHO, the only way the two sessions can be the "same" is if the RADIUS
server returns the first Acct-Session-Id in the second Access-Accept.
This tells the NAS to re-use that Acct-Session-Id for the second
session. If this doesn't happen, then the NAS *should* invent a new
Acct-Session-Id.
Alan DeKok.
More information about the Hostap
mailing list