Stefan Winter <stefan.winter@restena.lu> wrote:
Is this likely to be a configuration error (no changes were made to the 2.1.7 config), or a bug?
Try increasing the size of the cache. Try ensuring that there is always a User-Name in the inner tunnel. This user name is cached, and is checked on session resumption.
How does this work together with anonymous outer ids? I.e. if outer User-Name = anon@foo.bar and the inner User-Name is stefan@foo.bar, then the cache contains a session for stefan@foo.bar
On session resumption, there is no inner tunnel exchange, there's a packet User-Name = anon@foo.bar and an EAP-Message with SSL magic (but no inner User-Name)... So how does FreeRADIUS know what to look up in the cache? Or am I missing something here?
You get the inner-tunnel to return in the reply packet the inner User-Name (you probably are doing this already to fixup your accounting packets properly) and it's that reply response which is cached by the session-resumption cache thingy mcwhatsit. Works rather nicely here. It's a minor ballache with load-balancers and overlapping 'eduroam' domains mind you...but that is a non-trivially[1] solved problem and something I can live with as it rarely crops up. Cheers [1] you need to share the SSL session cache between your different FreeRADIUS boxen, the support for that is not in OpenSSL yet if I remember correctly (or was it FreeRADIUS). This would be done with some file that could probably be NFS shared or something or other with locking safely enough -- Alexander Clouter .sigmonster says: How come only your friends step on your new white sneakers?