FR 2.1.8 Issue - Unjustified(?) Access-Rejects.
Phil Mayers
p.mayers at imperial.ac.uk
Tue Jan 12 17:51:30 CET 2010
> [1] you need to share the SSL session cache between your different
> FreeRADIUS boxen, the support for that is not in OpenSSL yet if
> I remember correctly (or was it FreeRADIUS). This would be done
Shared SSL session caches are definitely supported in OpenSSL, and have
been for a while IIRC; see "distcache" for info. Whether it's compiled
into your SSL library, and whether there are caveats that mean it won't
work with FreeRadius... not sure.
Apache lists (commented out) config items like:
#SSLSessionCache dc:UNIX:/var/cache/mod_ssl/distcache
...in Fedora at least.
Whilst testing the SoH/NAP stuff, I saw some oddities with SSL session
resumption. I wasn't sure if it was something I did (i.e. broke inside
the PEAP code) or not, but the server seemed to be allowing resumption
even when it was disabled i.e. with the default FR config.
Random info: PEAP/SoH in fact *does* send traffic inside the tunnel on
session resumption - the spec has the SoH exchanged even when resumed,
adding a round trip, but it doesn't re-run the inner mschap auth. Weird.
More information about the Freeradius-Users
mailing list