Re: [Emu] EAP and authorization

[Stefan Winter <stefan.winter at restena.lu>]

Hi,

>> >> The main limitation on bulk data transfer is that most EAP to
>> >> RADIUS gateways (AP's, etc.) will terminate an EAP session after ~50
>> >> packets.
>> >
>> > This kind of thing drives me crazy.  Why are their such policies?
>>
>>   To prevent bulk transfer of data over EAP, among others.
>
> This would seem like a highly unlikely scenario, as in most system,
> someone privileged would have
> to install this rogue EAP module in the AAA system.

Which might make sense in a roaming system if you want your users to get
around being billed.

Provider A and B operate WLAN hotspots, say with realm-based routing. A
wants all his users to get access to B's hotspots, but without being
billed for it :-)

A sets up an EAP server with "EAP-Fraud" method which merely tunnels IP
in EAP, installs supplicant with EAP-Fraud support on his clients. A's
clients travel to a B-hotspot, and start a LONG authentication session
to their A realm which is in fact normal IP communication via an IP
proxy on their home EAP server. After an hour or so of merrily speaking
IP, client indicates a wish to disconnect to home and the EAP server
sends an Access-Reject. No bill, since "the authentication failed". Just
took a while.

Greetings,

Stefan Winter

>> > Please do not build EAP session breaking assumptions into AAA
>> implementations.
>>
>>   It would be useful to codify these experiences into an EAP "best
>> practices" document.
>
> I've done it before... (I'll find the proceedings reference)
> An update is coming....


>
> Dave.
>
>
>>   Alan DeKok.
>
> _______________________________________________
> Emu mailing list
> Emu at ietf.org
> https://www.ietf.org/mailman/listinfo/emu


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473