Hello everyone, I want to thank you in advance for taking the time to help me, as well as apologize if I ask bogus questions or questions that have already been answered. Ive been trying to implement a FreeRADIUS service inside of a University for the past 3 months, Ive read as much documentation as possible (books : FreeRADIUS Beginner guide and Authentication réseau avec RADIUS, all resources on freeradius <https://wiki.freeradius.org/Home> and networkradius <https://networkradius.com/doc/3.0.10/index.html> ) before asking questions. Im implementing 802.1X protocol on our wired network using EAP-TTLS/PAP protocol for communications between supplicants and our radius server. Were using LDAP as our main user storage, and a file with rlm_files modules for devices which doesnt support EAP. My radius infrastructure is composed as following: I got 2 VM running FreeRADIUS version 3.2.1 I have several questions: I- Session-State : 1. What is the purpose of the State attribute defined in RFC2865 (I read it but doesnt fully understand the purpose of this attribute), and is it linked in any way to the Session-State list? Also, Is there any documentation about the Session-State list? 2. Are attributes stored in Session-State list automatically retrieved when a new request is incoming and added to the Request list? 3. Does attributes stored in Session-State list persist between all packets of a conversation (from the first Access-request to the Access-Accept/Reject), and does the same Session-State list still exist for the accounting, or is it reinitialize once an Access-Accept/Reject has been sent? II- Attributes : I would like to have some information about those attributes to know, what they are supposed to store and how they are supposed to be used: 1) Session-Type: What does it refer? 2) Allow-Session-Resumption: Does this attribute is set to Yes by default, or does it have to be added somewhere, and what is the difference with EAP-Session-Resumed? 3) Cached-Session-Policy: For applying a policy to the cache, do I have to store the file path to the policy, or just the name of the policy that I want to apply? 4) SSHA2-256-Password: my passwords are stored in my LDAP with a salt and a sha256 hash, does it will be stored in Password-With-Header or also in SSHA2-256-Password ? 5) EAP : a. EAP-Session-Id : Does this value is set automatically the value of this attribute the ID of the EAP-Session will be the same, b. What is the difference between EAP-Id and EAP-Session-Id? 6) TLS : a. TLS-Cache-Method : Does the value of this attribute trigger instantiation of the module rlm_cache defined inside of tls-cache virtual server? b. TLS-Session-Data : Can I retrieve data from this attribute, or does it exist simply to store data that pass through my TLS tunnel? c. TLS-Cache-Filename : What is the difference between this attribute and Cached-Session-Policy? III- TLS : 1. When were setting virtual_server = "inner-tunnel" inside of module rlm_eap, is it just that the module rlm_eap knows when the TLS tunnel is set up and then for the inner exchange itll use this one or is it considerate as a proxy to the inner-tunnel server from the default server? IV- Cache : Because were a university I want to implement the fast resumption of sessions, I want to cache living sessions for a duration of 6 hours, so if a user doesnt re-authenticate during this period it will have to perform a complete re-authentication. 1. Does the cache section inside of the module rlm_eap, automatically store (session-Id, User-Name, Stripped-User-Name, Cached-Session-Policy), how can the session be resumed from this entry? 2. What is the difference between module rlm_cache and the session-state list in the persistence of information stored? V- Log : 1. I use the cui attribute as follows to have a unique identifier for a user inside of my TTLS tunnel (I know the attribute is originally designed to serve as an alias identifier of the username identity according to rfc4372) : %{sha1:${policy.cui_hash_key}%{request:Stripped-User-Name}%{ request:Operator-Name}%{request:User-Password}}, with policy.cui_hash_key which is a salt added to the hash 2. In order to retrieve my cache session, I plan to use CUI as my key, is there a better way to do so? 3. Once a device has been granted access to the network and once it retrieves an IP address, does the IP address will be included in the accounting packets? VI- Charge of the server : 1. Is there a way to know the live charge of a radius server as a String expansion to decide whether or not to proxy the request to another radius server (I dont know if the parameter max_requests is designed for this purpose)? 2. To do load-balancing between my VMs, is possible natively with FreeRADIUS or do I have to use an external load-balancer? VII- Home server : I got the following proxy.conf file: proxy server { default_fallback = no dynamic = no } home_server localhost { type = auth ipaddr = 127.0.0.1 port = 1812 proto = udp secret = << secret >> response_window = 20 zombie_period = 40 status_check = status-server check_interval = 10 check_timeout = 4 num_answers_to_alive = 3 max_outstanding = 65536 } home_server ru-freeradius-as2 { type = auth ipaddr = 10.101.0.10 port = 1812 proto = udp secret = << secret >> response_window = 20 zombie_period = 40 status_check = status-server check_interval = 10 check_timeout = 4 num_answers_to_alive = 3 max_outstanding = 32268 } home_server_pool my_auth_failover { type = fail-over home_server = localhost home_server = ru-freeradius-as2 virtual_server = pre_post_proxy_for_pool } realm my.realm { auth_pool = my_auth_failover } If I use the suffix instance of the module rlm_realm in the configuration of the default server in the authorize section, and the given User-Name is user@my.realm 1. Does my request will be passed through the my_auth_failover pool, and so being proxied to the home_server localhost server and set Proxy-To-Realm = LOCAL. Is this server to which the request is being proxy the default server? Again, Thank you for reading this long message with many questions, and for your help! I really appreciate it. Florent VERCOURT