different user names for the same session
Alan DeKok
aland
Fri Nov 14 07:15:37 PST 2008
Jouni Malinen wrote:
> While this makes sense in general, the part of NAS having to figure out
> when "authorizations" change sounds like a somewhat unclear requirement
> since there is no clear definition on what exactly this means and how
> the NAS should determine this. Just comparing a random set of attributes
> based on what a NAS vendor might consider suitable for this is not very
> robust mechanism and will likely result in different behavior between
> NAS implementations.
It's not the job of the NAS to make policy decisions. Down that path
lies insanity.
> One example of changing public (i.e., EAP-Response/Identity information)
> is in EAP-SIM and EAP-AKA which support identity privacy and fast
> re-authentication in a way that changes this identity. If that mechanism
> is used and IEEE 802.1X Authenticator requests re-authentication during
> the same session, the supplicant will use the same credentials (SIM/USIM
> card), but the EAP-Response/Identity string will change.
This is one reason the RFC's allow for User-Name in Access-Accept.
That User-Name MUST be used in the accounting packets. This gives the
AAA server control over the key attributes used to define "sessions".
> I fail to see
> how this could be categorized as a change in authorization. As far as
> NAS is concerned, User-Name change cannot be trusted as a sign of such a
> change. Only the AS (and Supplicant) really know whether authorization
> changed.
Yes. The NAS should act as little more than a pass-through device.
It is impossible for the NAS to try to figure out what's 'really' going
on. It shouldn't even try.
Alan DeKok.
More information about the Hostap
mailing list