David Mitchell <mitchell@ucar.edu> wrote:
Alan DeKok wrote:
David Mitchell wrote:
I was searching back in the archives, and in September there was a user who reported a problem with session resumption. I'm seeing the exact same symptoms I believe, also on Debian 5.0 with OpenSSL 0.9.8g. I never saw any follow up? Is there a fix known for this? I am using a locally compiled version of FreeRadius 2.1.7. It's linked against the system OpenSSL libraries though. Building a local 0.9.8k or even 1.0.0 is certainly an option if there is a chance it will help.
There isn't a lot we can do. It's not clear *why* OpenSSL resumes sessions when session resumption is disabled.
I did manage to find an easy workaround for this. Simply enabling the cache in eap.conf allows these connections to succeed. I think there may still be a bug somewhere, or maybe more than one. At a minimum it seems a bit foolish for wpa_supplicant to keep trying to do a fast reconnect after getting an Access-Reject.
Whatever the root problem is, there is an easy workaround. I wanted to follow up primarily in case others find this thread in the future it will have a workaround. I'm guessing the only real downside to enabling the EAP cache is memory usage, which I'm not too worried about.
Make sure you 'git cherry-pick' the patches related to: https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=15 https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=21 ...if you are using a vanilla 2.1.7. Cheers -- Alexander Clouter .sigmonster says: I'm not laughing with you, I'm laughing at you.