5.1.1 Fast Reconnect

PEAP fast reconnect is desirable in applications such as wireless roaming. This feature allows sessions to be resumed without completing a full authentication.

However, some issues to consider to avoid introducing security vulnerabilities include:

  • In cases where no identity is proved with an inner EAP method, implementers need to ensure that the appropriate authorization checks are still performed for the session.

  • To protect against risks associated with incorrectly assigning identity on fast reconnection scenarios, implementations need to strongly tie identity information to the TLS session. That is, the PEAP implementation needs to determine the user identity even with a session resume. If it cannot do so, then it will not authorize access. The reason is that because no inner EAP authentication takes place during fast reconnect; proof of identity is based exclusively on the TLS session.

Show: