eap Mailing List: Re: [Issue] Corner case in 802.1X/EAP State Machines

[Bernard Aboba (aboba]

> 2.1) If the RADIUS/EAP request has no EAP message - i.e. it is an initial
> request - the backend server could go to INITIALIZE and reset variables and
> start a new authentication.  It does not do this right now, but this seems
> a reasonable thing to change.

The issue of whether a given RADIUS Access-Request is part of an existing
EAP exchange or represents a new exchange is not unique to this particular
discussion. It can occur in multiple contexts.

RFC 3579 discusses this issue in Section 2.6.1:

"  In EAP, each session has its own unique Identifier space.  RADIUS
   server implementations MUST be able to distinguish between EAP
   packets with the same Identifier existing within distinct sessions,
   originating on the same NAS.  For this purpose, sessions can be
   distinguished based on NAS and session identification attributes.
   NAS identification attributes include NAS-Identifier,
   NAS-IPv6-Address and NAS-IPv4-Address.  Session identification
   attributes include User-Name, NAS-Port, NAS-Port-Type, NAS-Port-Id,
   Called-Station-Id, Calling-Station-Id and Originating-Line-Info."

I take this to mean that the a NAS wishing to start a new RADIUS exchange
needs to ensure that the server can distinguish this exchange from others
which may be occuring on the same or other NASen.

In this particular case, NAS Identification attributes are the same (same
NAS), as is the User-Name, Called-Station-Id, Calling-Station-Id,
NAS-Port-Type.

However, RFC 3579 nevertheless requires that the sessions be
distinguished.

The question is how.  In some cases (such as when the peer attaches to a
new NAS Port), the sessions can be distinguished via a different NAS-Port
or NAS-Port-Id.

However, when the  NAS-Port is the same (e.g. the peer has associated to
the AP, and therefore the Association-Id/NAS-Port hasn't changed) we need
another way of distinguishing the sessions.