TLS Session caching in v3.0.9

Fri Sep 4 18:16:15 CEST 2015

On Mon, Aug 31, 2015 at 3:12 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Aug 31, 2015, at 2:06 PM, Jason Alderfer <jha2 at emu.edu> wrote:
> > I'm having trouble getting session caching to work in 3.0.9.
>
>    It's not clear what you mean by "session caching".
>

I want to use TLS session caching to enable TLS session resumption aka MS
"fast reconnect".  In the TLS session cache I want to store a VLAN value to
be sent back in the TLS session resumptions.

  Did you configure the TLS session caching in raddb/mods-available/eap?
>

Yes.  It is enabled.

  This is NOT the same thing as the "cache" module.  And it's NOT the same
> thing as the session-state.
>
> > Question 2:  See attached debug log.  When a session resumes, the cached
> > info appears to be read correctly from the cache (see "Debug: (41)") but
> it
> > never gets sent back in the reply (see "Debug: (42)").
>
>   Try using v3.0.x from github.  It may be better.  I've put a few fixes
> in which should help.

Testing with v3.0.x.  What I found:

1.  In order to get TLS sessions to be cached without needing to enable
use_tunneled_reply = yes, I had to put the following in the "authorize"
section of "default" so that it came before the eap module was called.
Otherwise eap didn't find anything to cache.

        update {
                &reply: += &session-state:
        }

        if ( &reply:Cached-Session-Policy ) {
                if ( &reply:Cached-Session-Policy =~ /vlan=(.+)/ ) {
                        update reply {
                                Reply-Message += "Cached
policy:%{reply:Cached-Session-Policy}"
                                Tunnel-Private-Group-ID := "%{1}"
                                Tunnel-Type := VLAN
                                Tunnel-Medium-Type := IEEE-802
                        }
                }
        }

2.  With the above in place, caching appears to work correctly.  All
expected attributes are in the cache, and on session resumption they are
read correctly from the cache, however they are not sent back in the final
reply.  See below.

[...]
Fri Sep  4 11:41:29 2015 : Debug: (14) eap_peap: SSL Connection Established
Fri Sep  4 11:41:29 2015 : Debug: (14) eap_peap: SSL Application Data
Fri Sep  4 11:41:29 2015 : Debug: (14) eap_peap: Adding cached attributes
from session
f2da74c194f913b553b402be956fef89d955c31ac3438cfd3d173e803d37c269
Fri Sep  4 11:41:29 2015 : Debug: (14) eap_peap:   reply:User-Name +=
"alderfjh"
Fri Sep  4 11:41:29 2015 : Debug: (14) eap_peap:
reply:Cached-Session-Policy += "vlan=3"
Fri Sep  4 11:41:29 2015 : Debug: (14) eap_peap: [eaptls process] = success
Fri Sep  4 11:41:29 2015 : Debug: (14) eap_peap: Session established.
Decoding tunneled attributes
Fri Sep  4 11:41:29 2015 : Debug: (14) eap_peap: PEAP state TUNNEL
ESTABLISHED
Fri Sep  4 11:41:29 2015 : Debug: (14) eap_peap: Skipping Phase2 because of
session resumption
Fri Sep  4 11:41:29 2015 : Debug: (14) eap_peap: SUCCESS
Fri Sep  4 11:41:29 2015 : Debug: (14) eap: Sending EAP Request (code 1) ID
5 length 43
Fri Sep  4 11:41:29 2015 : Debug: (14) eap: EAP session adding &reply:State
= 0x0a356ef1083077e4
Fri Sep  4 11:41:29 2015 : Debug: (14)     modsingle[authenticate]:
returned from eap (rlm_eap) for request 14
Fri Sep  4 11:41:29 2015 : Debug: (14)     [eap] = handled
Fri Sep  4 11:41:29 2015 : Debug: (14)   } # authenticate = handled
Fri Sep  4 11:41:29 2015 : Debug: (14) Using Post-Auth-Type Challenge
Fri Sep  4 11:41:29 2015 : Debug: (14) Post-Auth-Type sub-section not
found.  Ignoring.
Fri Sep  4 11:41:29 2015 : Debug: (14) # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
Fri Sep  4 11:41:29 2015 : Debug: (14) session-state: Nothing to cache
Fri Sep  4 11:41:29 2015 : Debug: (14) Sent Access-Challenge Id 161 from
10.3.20.8:1812 to 10.3.20.20:32858 length 0
Fri Sep  4 11:41:29 2015 : Debug: (14)   User-Name += "alderfjh"
Fri Sep  4 11:41:29 2015 : Debug: (14)   EAP-Message =
0x0105002b1900170301002089c927cc662723556271f795130acfbd6f74cf74844c6194fc8edf6008822831
Fri Sep  4 11:41:29 2015 : Debug: (14)   Message-Authenticator =
0x00000000000000000000000000000000
Fri Sep  4 11:41:29 2015 : Debug: (14)   State =
0x0a356ef1083077e4f2094fd2b79c8abb
Fri Sep  4 11:41:29 2015 : Debug: (14) Finished request
[...]
Fri Sep  4 11:41:29 2015 : Debug: (15) Received Access-Request Id 141 from
10.3.20.20:32858 to 10.3.20.8:1812 length 317
Fri Sep  4 11:41:29 2015 : Debug: (15)   User-Name = "alderfjh"
Fri Sep  4 11:41:29 2015 : Debug: (15)   NAS-IP-Address = 192.168.20.2
Fri Sep  4 11:41:29 2015 : Debug: (15)   NAS-Port = 0
Fri Sep  4 11:41:29 2015 : Debug: (15)   NAS-Identifier = "192.168.20.2"
Fri Sep  4 11:41:29 2015 : Debug: (15)   NAS-Port-Type = Wireless-802.11
Fri Sep  4 11:41:29 2015 : Debug: (15)   Calling-Station-Id = "BC6E64721BDA"
Fri Sep  4 11:41:29 2015 : Debug: (15)   Called-Station-Id = "000B86612D64"
Fri Sep  4 11:41:29 2015 : Debug: (15)   Service-Type = Login-User
Fri Sep  4 11:41:29 2015 : Debug: (15)   Framed-MTU = 1100
Fri Sep  4 11:41:29 2015 : Debug: (15)   EAP-Message =
0x0205005019001703010020b1e84bef14eb5dc34d86f50ad057aab7481972c63dcb75bcb83bdd08af79d8aa17030100206040b54b4046a27a7e464b0c4168296c41675fd2fd609d882b352a400c8e8fbb
Fri Sep  4 11:41:29 2015 : Debug: (15)   State =
0x0a356ef1083077e4f2094fd2b79c8abb
Fri Sep  4 11:41:29 2015 : Debug: (15)   Aruba-Essid-Name = "EMU-testdad"
Fri Sep  4 11:41:29 2015 : Debug: (15)   Aruba-Location-Id =
"NL1-1st-great-lounge-103-ap65"
Fri Sep  4 11:41:29 2015 : Debug: (15)   Aruba-AP-Group =
"NL-master-only-normal-ARM"
Fri Sep  4 11:41:29 2015 : Debug: (15)   Message-Authenticator =
0xe57b4ba73dfd4ebcb4fcd80cf4f1cbe3
Fri Sep  4 11:41:29 2015 : Debug: (15) session-state: No cached attributes
Fri Sep  4 11:41:29 2015 : Debug: (15) # Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
Fri Sep  4 11:41:29 2015 : Debug: (15)   authorize {
Fri Sep  4 11:41:29 2015 : Debug: (15)     update {
Fri Sep  4 11:41:29 2015 : Debug: (15)       No attributes updated
Fri Sep  4 11:41:29 2015 : Debug: (15)     } # update = noop
Fri Sep  4 11:41:29 2015 : Debug: (15)     if (
&reply:Cached-Session-Policy ) {
Fri Sep  4 11:41:29 2015 : Debug: (15)     if (
&reply:Cached-Session-Policy )  -> FALSE
[...]
Fri Sep  4 11:41:29 2015 : Debug: (15) Sent Access-Accept Id 141 from
10.3.20.8:1812 to 10.3.20.20:32858 length 0
Fri Sep  4 11:41:29 2015 : Debug: (15)   MS-MPPE-Recv-Key =
0x9f85989d1bc6533c26517adb7a130fa621c778ebd0d6fcc46319384e279481b4
Fri Sep  4 11:41:29 2015 : Debug: (15)   MS-MPPE-Send-Key =
0xebbb603a80d0fe376d053c7101e5d8f8e35464c55efa82305133b0668bcc440a
Fri Sep  4 11:41:29 2015 : Debug: (15)   User-Name = "alderfjh"
Fri Sep  4 11:41:29 2015 : Debug: (15) Finished request

*TLS* Session caching in v3.0.9

TLS Session caching in v3.0.9