On Wed, 2 Aug 2023, at 18:49, Eliot Lear wrote: > Keep this in mind: end devices should be presumed to be pressed for > resources, and anything requiring additional unnecessary authentications > should be avoided in that case.
I could imagine a realtime video streaming device that during a reprovisioning process, the RADIUS server would send an EAP-Failure to force a full authentication resulting in the authenticator starting to drop hard traffic until it is told otherwise. For this reason I do not think forcing a full authentication in such a manner is going to be desirable. > But again, this is all server side policy. The only aspect for the > client is that it should know when to re-authenticate if the server > requires it. I agree. Policy already has to handle "do not allow chaining session resumptions indefinitely" and the recommendation is to redo at least part of the authorisation step again to catch things like account expiry/disabled, time of day restrictions and what not. For user credential backed EAP methods, if a user's password is changed existing sessions should be forced to re-authenticate if not forcibly disconnected. Of course this event may be because the password has been leaked but the 'what' to do is policy not protocol. Cheers _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
