Panagiotis Georgopoulos <panos@comp.lancs.ac.uk> wrote:
I have a client machine that authenticates to FreeRadius using EAP-TTLS over Access_Point_1 just fine. When I roam the client to Access_Point_2 and tries to authenticate again to FreeRadius, session resumption seems to be failing with the following error.
[snipped]
One thing to note on the above is that there is no cached information, which seems strange as the client was authenticated some minutes over Access_Point_1. The other thing is that user authentication fails completely and the client resides to restart EAP-TTLS from the start that finishes successfully.
The session cache stores what is in the *reply* packet of the inner request (if that makes sense). In your eap.conf file, you refer to a virtual server to palm off requests to once the EAP layer has been peeled off. In that virtual server say in the authorize{} section: ---- update reply { User-Name := "%{request:User-Name}" } ---- Now you will find on resumption the username appears magically; session resumption is a feature of SSL/TLS and so the user-name is not accessible; hence the need to dig into the cache. I also recommend that you also do: ---- update outer.request { User-Name := "%{request:User-Name}" } ---- This means that when the authentication fails (as a quirk of the inner session, post-auth{} and the whole reply packet is no available when an inner request Reject's) you have access to the username that was used. Cheers -- Alexander Clouter .sigmonster says: And on the eighth day, we bulldozed it.