In v3.1.x: modules { cache cache_tls_session { driver = 'rlm_cache_redis' # Alc-Subsc-ID-Str is unique to each class/type of device on a circuit # NAS-Port-ID is used as the default by the DR if one is not provided # in the Access-Accept key = "cert:tls_session:%{hex:&TLS-Session-ID}" ttl = 86400 # 24 hrs # When creating or updating the flow is right to left. # When reading/merging the flow is left to right. # The cache entry # The current request update { &session-state: += &session-state:[*] } } } server tls-cache { # # Only the "authorize" section is needed. # Only the listed Autz-Types are used. # Everything else in the virtual server is ignored. # # The attribute &request:TLS-Session-Identity is set to the identity # of the session to read / write / delete from the cache. This # identity is an opaque blob. # authorize { Autz-Type Session-Cache-Read { update control { Cache-Allow-Insert := no } cache_tls_session } Autz-Type Session-Cache-Write { update control { Cache-TTL := 0 } cache_tls_session } Autz-Type Session-Cache-Delete { update control { Cache-TTL := 0 Cache-Allow-Insert := no } cache_tls_session } } } eap { tls-common { cache { enable = yes virtual_server = 'tls-cache' } } } Put stuff in session-state and it's automatically restored if the session is resumed... because you're resuming the session, right? and session-state is the state of the session... The main requirement with this method is that everything you want to store in session-state, is in there by the time the TLS session is ready to be frozen, so you likely want to run your policies in the post-auth section of the inner tunnel. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2