Hi,
You can do in-memory caching. I suggest trying that first. It works in all of my tests.
As a second step, enable on-disk caching.
Does not matter if I use in-memory or persistent on-disk caching, result is always the same, first run succeeds and second one fails, cache is invalidated and full TLS handshake is performed again.
Virtual server 'check-eap-tls’ which is configured to verify client certificates fails when cached TLS session calls this method, variables needed for verification are not propagated correctly.
What does that mean?
When TLS implementation detects request to use cached session data, variables like %{TLS-Client-*} are not propagated and code in check-eap-tls virtual server fails because variables needed for client certificate validation do not contain any data.
server check-eap-tls { authorize {
if ("%{TLS-Client-Cert-Subject-Alt-Name-Upn}" =~ /^([a-z0-9]|[\w\.-]?)+\@example\.com$/i) { update config { Auth-Type := Accept
This is in the inner tunnel, right?
This is defined in eap configuration's tls section.
This is a fragment from log file:
Why? We recommend reading the *debug* output.
To demonstrate my issue more clearly I have attached three files to this message, configuration, first run and second run. Output is generated by running freeradius -Xxx
Sun Jun 14 14:56:11 2015 : Auth: (44) Login incorrect (eap: Failed continuing EAP TLS (13) session. EAP sub-module failed): [host/xxxxx.example.com/<via Auth-Type = EAP>] (from client wc-s1-01 port 2 cli 00-24-d7-03-2b-38) Sun Jun 14 14:56:16 2015 : Error: Couldn't open /var/log/radius/tlscache/c0373a395b8cc8bc3bd2fe453c3f235454b5216a47c1cb66e30580cd697033f1.vps for reading: No such file or directory
Probably because the TLS data isn't being cached.
First run ... Mon Jun 15 08:29:23 2015 : Debug: (14) eap_tls : TLS_accept: SSLv3 flush data Mon Jun 15 08:29:23 2015 : Debug: SSL: adding session 5bb22b52d5ab6b8e0e2c0be1c0054e8d5e3a11198dd85a74ff14d199374706e9 to cache Mon Jun 15 08:29:23 2015 : Debug: (14) eap_tls : (other): SSL negotiation finished successfully Second run … Mon Jun 15 08:59:42 2015 : Auth: (23) Login incorrect: [host/user_host.private.com/<via Auth-Type = Reject>] (from client wc-s1-01 port 2 cli 00-24-d7-03-2b-38 via TLS tunnel) Mon Jun 15 08:59:42 2015 : Debug: (23) Using Post-Auth-Type Reject Mon Jun 15 08:59:42 2015 : Debug: (23) Post-Auth-Type sub-section not found. Ignoring. Mon Jun 15 08:59:42 2015 : Debug: (23) Reply: Mon Jun 15 08:59:42 2015 : Debug: (23) } # server check-eap-tls Mon Jun 15 08:59:42 2015 : Debug: (23) eap_tls : Certificates were rejected by the virtual server Mon Jun 15 08:59:42 2015 : Debug: SSL: Removing session 5bb22b52d5ab6b8e0e2c0be1c0054e8d5e3a11198dd85a74ff14d199374706e9 from the cache Mon Jun 15 08:59:42 2015 : ERROR: (23) eap : Failed continuing EAP TLS (13) session. EAP sub-module failed Debug logs: Regards, Jyri.