I am apparently using the Caching improperly in regards to
configuration in eap.conf. The first authentication works great
(EAP-PEAP-MSChapv2) and DB lookups. The second time (with caching
enabled) it appears to only be adding the User-Name attribute to the
reply. I see the comments in the file "eap.conf" but they don't go
very far into explaining how to get certain attributes saved INTO
the cache or pulled out of it.
Does anyone have an example of how to use this
"Cached-Session-Policy" which is applied to the cached session?
eap.conf cache section reads:
The "Cached-Session-Policy" is the name of a policy
which should be applied to the cached session. This policy can be
used to assign VLANs, IP addresses, etc. It serves as a useful
way to re-apply the policy from the original Access-Accept to the
subsequent Access-Accept for the cached session.
What exactly am I supposed to store into the attribute
"Cached-Session-Policy"? Is this referring to a policy within the
file "policy.conf" that will run and extract attributes according to
the function there or is it something else?
The notes also say:
# You probably also want "use_tunneled_reply = yes"
when using fast session resumption.
And I have turned that on everywhere I could find, but it doesn't
appear to be even saving the 1st values of Tunnel-Private-Group-Id.
Debug output:
First time that responds correctly given a VLAN.
[snipped]
[peap] Using saved attributes from the original Access-Accept
Tunnel-Private-Group-Id:0 = "316"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
User-Name = "jd187"
[peap] Saving response in the cache
[eap] Freeing handler
++[eap] returns ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file
/services/freeradius/etc/raddb//sites-enabled/dvlan-1x-working
} # server dvlan-1x-test1
Sending Access-Accept of id 157 to 128.61.2.253 port 1645
Tunnel-Private-Group-Id:0 = "316"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
User-Name = "jd187"
MS-MPPE-Recv-Key =
0xbdc694a560b3fc4e37385fe08bb9876e11d215add69317c704fa374f462bcb0a
MS-MPPE-Send-Key =
0xa039b0c10a7ef3511a68cdd837f13747c7a4adcb86dc5d73a8506f0105a9ced4
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 7.
Going to the next request
After attempting a second auth which appears to bypass the logic to
assign a VLAN but doesn't appear to be adding it to the response
from the cache at all.
[snipped]
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Adding cached attributes to the reply:
User-Name = "jd187"
[eap] Freeing handler
++[eap] returns ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file
/services/freeradius/etc/raddb//sites-enabled/dvlan-1x-working
} # server dvlan-1x-test1
Sending Access-Accept of id 161 to 128.61.2.253 port 1645
User-Name = "jd187"
MS-MPPE-Recv-Key =
0x0d398b0ed22899753eac37c8b308afb8a600a4be2b35d4260470148c6f4774cc
MS-MPPE-Send-Key =
0x570045c77b56ef4d327189610f20f358038cea5bda215ded4ca32eefd2a72cf2
EAP-Message = 0x03040004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 11.