EAP Session resumption && reply attributes
A.L.M.Buxey at lboro.ac.uk
Mon Jan 18 11:05:53 CET 2010
> In order to also return e.g. VLAN IDs (that could be computed from the
> inner User-Name in a non-session-resumption enabled config), I can move
> the config that sets the VLAN to the outer tunnel post-auth && ensure the
> inner tunnel sets:
> reply:outer User-Name to request:inner User-Name
> and then key my VLAN computation (in outer post-auth) from reply:User-Name.
> I can see other possibilities to do this (e.g. cache
> Tunnel-Private-Group-Id in the TLS session cache), but the above seems ok
> to me. Can anyone on the list spot any problems, something that I've
> missed / gotchas with the above?
this is a fine idea - you only need to hit the handling logic post-auth
(after the basic accept/reject has been done). just ensure that you dont pass
this inner-id stuff back to remote proxies.
More information about the Freeradius-Users