FR3 and EAP-TLS session cache

Jüri Palis jyri.palis at gmail.com
Fri Jun 19 16:30:44 CEST 2015 

Hi,


Here is the invalid cache file
-------------- next part --------------
A non-text attachment was scrubbed...
Name: invalid_cache.vps
Type: application/octet-stream
Size: 1153 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150619/1c5ac262/attachment-0001.obj>
-------------- next part --------------


PS. Certificates involved with EAP-TLS in my environment are AD auto enrolled (user or host) certificates.

Regards,
Jyri.
On 19 Jun 2015, at 17:05, Alan DeKok <aland at deployingradius.com> wrote:

> On Jun 19, 2015, at 2:19 AM, Jyri Palis <jyri.palis at gmail.com> wrote:
>> Almost there :) but now the code which handles persistent cache writes incorrectly formatted vps file to disk:
> 
>  Can you send the complete file, instead of just a piece?
> 
>  It works in my tests.  Please be sure that you've deleted all old files from the system.
> 
>> Fri Jun 19 09:02:20 2015 : Debug: reading pairlist file /var/log/radius/tlscache/baa4c42c8274dcb7d560072c5fe9040003f1c03e2d4d744114f55c096dfea3a8.vps
>> Fri Jun 19 09:02:20 2015 : Error: /var/log/radius/tlscache/baa4c42c8274dcb7d560072c5fe9040003f1c03e2d4d744114f55c096dfea3a8.vps[16]: Parse error (reply) for entry baa4c42c8274dcb7d560072c5fe9040003f1c03e2d4d744114f55c096dfea3a8: Expected end of line or comma
>> Fri Jun 19 09:02:20 2015 : WARNING: (65) eap_tls: Failed loading persisted VPs for session baa4c42c8274dcb7d560072c5fe9040003f1c03e2d4d744114f55c096dfea3a8
>> 
>> After inspecting VP cache file, indeed there is a formatting error at line 16
>> ….
>>   TLS-Client-Cert-X509v3-Authority-Key-Identifier += 'keyid:71:FC:8C:7D:7C:8E:3B:F7:F1:99:98:65:C9:E2:E4:21:5C:B9:EE:49
>>>> ...
>> 
>> The value of TLS-Client-Cert-X509v3-Authority-Key-Identifier is missing terminating apostrophe.
> 
>  It's on the next line.... maybe the Key-Identifier has an embedded carriage return?
> 
>  That's why I ask for the whole file... that lets me see *exactly* what's going on, instead of getting just a sample which is taken out of context.
> 
>  Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list