Using RADIUS CoA for reauthenticate STA
Bob Friesenhahn
bfriesen at simple.dallas.tx.us
Fri Sep 2 06:38:41 PDT 2022
On Thu, 1 Sep 2022, Daniil Sliusar wrote:
> Hello Alan,
>
> Thanks for reply.
>
>> CoA is about changing authorization. i.e. "change from 10Mbps to 100Mbps". It's not about reauthenticating subscribers.
>>
>> If you want to reauthenticate subscribers, you have to use disconnect messages. There are no provisions for reauthenticating users while keeping their connection "up".
>>
>> The underlying protocols simply don't work that way, and don't support it. It's impossible.
>
> Actually it’s not 100% true. Many NAS vendors support CoA in a way to reauthenticate session without disconnect.
> For example Cisco/Meraki supports CoA with special VSA 'subscriber:command=reauthenticate’ to force dot1x auth
> process for existing client session.
+1 on the above. My employer's customers wanted this sort of
capability in order to support multi-level authorizations (e.g.
authenticate the computer and then the user) to grant access to a
particular set of VLANs, so that is what I implemented. However, it
did require implementing custom code.
I was lead to believe that this is a common sort of extension.
Bob
--
Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt
More information about the Hostap
mailing list