On 17.07.19 15:01, Alan DeKok wrote:
On Jul 16, 2019, at 1:49 PM, Sven Hartge <sven@svenhartge.de> wrote:
But: How? And what?
After looking into it, the answer is "badly" :(
So better wait for a later version before trying. I don't want to knock 20,000 users offline in a vain attempt to maybe optimize something which may not even need optimizing.
But what I am missing is a concrete example how a configuration would look, if you excuse my thickness.
It's pretty non-intuitive.
At least I wasn't totally blind in my disability to understand where to even start to use this feature. I've been staring at the configuration, the documentation (which essentially said the same as the comment in the configuration) and the code and had no idea when and how to use "Cached-Session-Policy". Do I set it to the name of the policy used to add the VLAN attributes? Do I just add the resulting attributes directly? Is it a string or an array?
Also, side note here: the native Debian packages in Debian 9 and 10 have tls-caching disabled at the source level because of CVE-2017-9148. Which means without recompilation you can't use this feature.
Debian also ships version of FreeRADIUS which are *years* out of date. Instead of using a recent release, they patch one from may years ago.
Which is why I roll my own packages with current versions, just using the Debian packages as a base.
Updated documentation and more friendly configuration is available at:
https://github.com/FreeRADIUS/freeradius-server/commit/a3c46544b38ab46218c38...
You'll have to use the v3.0.x code from GitHub in order to get simpler TLS session caching.
I see, this makes more sense now. Grüße, Sven.