FR 2.1.8 Issue - Unjustified(?) Access-Rejects.

Alexander Clouter alex at
Tue Jan 12 15:49:38 CET 2010

Stefan Winter <stefan.winter at> wrote:
>>> Is this likely to be a configuration error (no changes were made to the
>>> 2.1.7 config), or a bug?
>>   Try increasing the size of the cache.  Try ensuring that there is
>> always a User-Name in the inner tunnel.  This user name is cached, and
>> is checked on session resumption.
> How does this work together with anonymous outer ids? I.e. if outer
> User-Name = anon at and the inner User-Name is stefan at, then
> the cache contains a session for stefan at
> On session resumption, there is no inner tunnel exchange, there's a
> packet User-Name = anon at and an EAP-Message with SSL magic (but
> no inner User-Name)... So how does FreeRADIUS know what to look up in
> the cache? Or am I missing something here?
You get the inner-tunnel to return in the reply packet the inner 
User-Name (you probably are doing this already to fixup your accounting 
packets properly) and it's that reply response which is cached by the 
session-resumption cache thingy mcwhatsit.

Works rather nicely here.  It's a minor ballache with load-balancers and 
overlapping 'eduroam' domains mind you...but that is a non-trivially[1] 
solved problem and something I can live with as it rarely crops up.


[1] you need to share the SSL session cache between your different 
	FreeRADIUS boxen, the support for that is not in OpenSSL yet if 
	I remember correctly (or was it FreeRADIUS).  This would be done 
	with some file that could probably be NFS shared or something or 
	other with locking safely enough

Alexander Clouter
.sigmonster says: How come only your friends step on your new white sneakers?

More information about the Freeradius-Users mailing list