Setting Cached-Session-Policy

Gerald Vogt vogt at spamcop.net
Mon Jun 6 17:30:43 CEST 2011 

Hi!

I am trying to get fast session resumption with VLAN assignments to
work. I have tried the suggestion in this message:
http://lists.freeradius.org/pipermail/freeradius-users/2011-April/msg00381.html

However, it seems to me as if the post-auth section is too late to set
the Cached-Session-Policy. I have added the following to the beginning
of the post-auth section in the default site:

post-auth {
        if ( reply:Cached-Session-Policy ) {
                if ( reply:Cached-Session-Policy =~ /vlan=(.+)/ ) {
                        update reply {
                                Reply-Message += "Cached policy:
%{reply:Cached-Session-Policy}"
                                Tunnel-Private-Group-ID := "%{1}"
                                Tunnel-Type = VLAN
                                Tunnel-Medium-Type = IEEE-802
                        }
                }
        }
        elsif ( reply:Tunnel-Private_group-ID ) {
                update reply {
                        Cached-Session-Policy :=
"vlan=%{reply:Tunnel-Private-Group-ID}"
                }
        }

I can see in the logs that this correctly sets Cached-Session-Policy,
e.g. to vlan=10. However, during session resumption it will only add
User-Name and Stripped-User-Name.

During the initial session setup I can see that attributes are saved
into the cache:

[peap] Success
[peap] Using saved attributes from the original Access-Accept
	Tunnel-Private-Group-Id:0 = "18"
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Type:0 = VLAN
	User-Name = "vogt"
[peap] Saving response in the cache
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++? if (reply:Cached-Session-Policy )
? Evaluating (reply:Cached-Session-Policy ) -> FALSE
++? if (reply:Cached-Session-Policy ) -> FALSE
++? elsif (reply:Tunnel-Private_group-ID )
? Evaluating (reply:Tunnel-Private_group-ID ) -> TRUE
++? elsif (reply:Tunnel-Private_group-ID ) -> TRUE
++- entering elsif (reply:Tunnel-Private_group-ID ) {...}
	expand: vlan=%{reply:Tunnel-Private-Group-ID} -> vlan=18
+++[reply] returns noop
++- elsif (reply:Tunnel-Private_group-ID ) returns noop

Now, if I understand the source code correctly, attributes are saved
when freeradius logs "Saving response in the cache". I think this
means that setting Cached-Session-Policy in post-auth is too late
because at point the caching already happened and modifying
Cached-Session-Policy won't affect what is stored in the cache.

This is what is logged during session resumption:

[peap] Adding cached attributes to the reply:
	User-Name = "vogt"
	Stripped-User-Name = "vogt"
[eap] Freeing handler
++[eap] returns ok

Should setting Cached-Session-Policy in post-auth have an effect on
cached attributes or not?

Cheers,

Gerald

More information about the Freeradius-Users mailing list