Using RADIUS CoA for reauthenticate STA

Bob Friesenhahn bfriesen at simple.dallas.tx.us
Fri Sep 2 06:38:41 PDT 2022


On Thu, 1 Sep 2022, Daniil Sliusar wrote:

> Hello Alan,
>
> Thanks for reply.
>
>>  CoA is about changing authorization.  i.e. "change from 10Mbps to 100Mbps".  It's not about reauthenticating subscribers.
>>
>>  If you want to reauthenticate subscribers, you have to use disconnect messages.  There are no provisions for reauthenticating users while keeping their connection "up".
>>
>>  The underlying protocols simply don't work that way, and don't support it.  It's impossible.
>
> Actually it’s not 100% true. Many NAS vendors support CoA in a way to reauthenticate session without disconnect.
> For example Cisco/Meraki supports CoA with special VSA 'subscriber:command=reauthenticate’ to force dot1x auth
> process for existing client session.

+1 on the above.  My employer's customers wanted this sort of 
capability in order to support multi-level authorizations (e.g. 
authenticate the computer and then the user) to grant access to a 
particular set of VLANs, so that is what I implemented.  However, it 
did require implementing custom code.

I was lead to believe that this is a common sort of extension.

Bob
-- 
Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
Public Key,     http://www.simplesystems.org/users/bfriesen/public-key.txt


More information about the Hostap mailing list