On Thu, 1 Sep 2022, Daniil Sliusar wrote:
Hello Alan,
Thanks for reply.
CoA is about changing authorization. i.e. "change from 10Mbps to 100Mbps". It's not about reauthenticating subscribers.
If you want to reauthenticate subscribers, you have to use disconnect messages. There are no provisions for reauthenticating users while keeping their connection "up".
The underlying protocols simply don't work that way, and don't support it. It's impossible.
Actually it’s not 100% true. Many NAS vendors support CoA in a way to reauthenticate session without disconnect.
For example Cisco/Meraki supports CoA with special VSA 'subscriber:command=reauthenticate’ to force dot1x auth
process for existing client session.
+1 on the above. My employer's customers wanted this sort of
capability in order to support multi-level authorizations (e.g.
authenticate the computer and then the user) to grant access to a
particular set of VLANs, so that is what I implemented. However, it
did require implementing custom code.
I was lead to believe that this is a common sort of extension.
Bob
--
Bob Friesenhahn
bfriesen@xxxxxxxxxxxxxxxxxxx, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
