RADIUS Context Relocation Issues

1
RADIUS Context Relocation Issues

• Bernard Aboba
• IETF 58
• Minneapolis, MN
• Friday, November 14, 2003
• http//www.drizzle.com/aboba/IETF58/RADEXT/

2
What Is the Problem?

• RADIUS servers make decisions based on both
  static and dynamic state
• Static user profile, credentials, NAS-Port-Type,
  Called-Station-Id
• Dynamic time of day, simultaneous usage
• Fast handoff applications enable movement of the
  users point of attachment without initiating a
  new AAA exchange
• The result may not be the same as if a new AAA
  exchange had ensued
• Security vulnerabilities can result

3
Correctness in Fast Handoff Context Transfer

• Definition of Correct when the same state
  results as if the peer had authenticated with the
  AAA server
• Examples of incorrect transactions
• Peer authenticates with GUEST SSID, derives a
  key, does successful fast handoff within same
  physical AP to the CARRIER SSID
• Result Carrier sees an accounting record for
  GUEST which either doesnt have an account, or it
  bills the wrong user
• Peer authenticates to an AP, does fast handoff
  to same virtual AP in order to cause Session-Time
  variable to be reset.
• Clients gain unlimited network access.

4
Key scoping attributes

• Authorized-SSID
• String, including an SSID the user is authorized
  to associate with
• Multiple attributes possible in an Access-Accept
• Fast-Handoff-Allowed
• Integer, value 1 for TRUE, 0 for FALSE
• Default value FALSE?

5
Feedback?