On 10/04/15 15:47, Donald Sherker wrote:
I am running FreeRADIUS v3.0.x. I am trying to enable EAP Session Resumption, but I am running into some problems. In the eap module it says that two files will be written per session. I am never seeing the .vps file in the cache directory, and the .asn1 file will be written sometimes.
Weird. The files are written at different times as the data becomes available at different times. Can you show a full debug for a failing case?
SSL: wrote session f72abc554bb004769d9c8bf121d63a412b519538ece70b34526f42e787bb5b38 to /<logdir>/tlscache/f72abc554bb004769d9c8bf121d63a412b519538ece70b34526f42e787bb5b38.asn1 len=147
Ok.
(18) eap_peap: WARNING: No information in cached session f72abc554bb004769d9c8bf121d63a412b519538ece70b34526f42e787bb5b38
Ok, that implies no value-pairs were read from <sess>.vps. Can you look and see if that file is missing, empty, or just has no data? Are you sure you're returning cacheable VPs? Are you seeing the: Saving session x vps y in the cache ...debug message in the initial session? The .vps file should look something like this: # SSL cached session SOMEHEX Attr = Value, Attr2 = Value2 If your inner tunnel doesn't actually return any cacheable attributes you'll just get the first two lines and there will be nothing to cache; that's
(18) eap: Freeing handler
The files referred to here was not written at all:
I don't understand. Are you saying the .asn1 files mentioned are not written?
Why would the files be written sometimes and not other times, and why are there no vps files for these sessions?
The way the code works is like this: 1. Feed data to OpenSSL 2. OpenSSL calls back into FreeRADIUS to persist the session if it's new, or load it from disk if it's old and not in-memory - these functions write and read the .asn1 files, respectively. 3. Later, FreeRADIUS either runs an inner auth for new sessions and writes the values to the .vps file, or reads them from the .vps file for a resumed session. There are cases where a .asn1 file will exist without a .vps - for example, if the client gets as far as establishing the TLS tunnel but hangs up before the inner auth completes, there will be no matching .vps. I can't remember if I coded for that that use-case :o( A full debug of the initial session followed by the failing session would really help here. Cheers, Phil