Cached attributes

Jonathan Gazeley Jonathan.Gazeley at bristol.ac.uk
Thu Feb 25 12:28:53 CET 2016


On 24/02/16 14:38, Alan DeKok wrote:
> On Feb 24, 2016, at 9:24 AM, Jonathan Gazeley <Jonathan.Gazeley at bristol.ac.uk> wrote:
>> With your suggested change, for some reason it does a noop
>
>    That's fine.
>
>> (8)        update outer.session-state {
>> (8)          &outer.session-state:User-Name = &User-Name -> "iser-linauth at bris.ac.uk"
>> (8)        } # update outer.session-state (noop)
>
>    The "update" section isn't a module, and doesn't have the normal module return codes.
>
>> The outer User-Name should at this point be anonymous at bris.ac.uk so I would expect this update operation to make a change and set &outer.session-state:User-Name to iser-linauth etc.
>>
>> I'm not sure if I'm tying myself in knots here. Basically, in the past we've decided on the user's VLAN in outer post-auth based on their inner username, which we access like %{reply:User-Name} with use_tunneled_reply=yes. This doesn't work with resumed sessions in FR3 like it did on FR2 and we haven't been able to figure out why.
>
>    We reworked some of the SSL cache, which was required for new features.  It *should* continue to work, though.
>
>    But if you're putting attributes into the session-state list, they will remain there for the lifetime of the authentication session.  i.e. NOT the SSL session. The "session-state" list is NOT an SSL cache, and has nothing to do with SSL.
>
>    The SSL cache remains the same in v3.0 as in v2.2.  But again, putting things into session-state does NOT put them in the SSL cache.
>
>    Alan DeKok.
>

Thanks, this helps with the clarity. What I think I need to do is store 
the Inner-User-Name in the SSL cache so when the session later gets 
resumed, we can use the Inner-User-Name to make a VLAN decision.

How can I add specific attributes to the SSL cache?

Thanks,
Jonathan



More information about the Freeradius-Users mailing list