On 24/02/16 14:38, Alan DeKok wrote:
On Feb 24, 2016, at 9:24 AM, Jonathan Gazeley <Jonathan.Gazeley@bristol.ac.uk> wrote:
With your suggested change, for some reason it does a noop
That's fine.
(8) update outer.session-state { (8) &outer.session-state:User-Name = &User-Name -> "iser-linauth@bris.ac.uk" (8) } # update outer.session-state (noop)
The "update" section isn't a module, and doesn't have the normal module return codes.
The outer User-Name should at this point be anonymous@bris.ac.uk so I would expect this update operation to make a change and set &outer.session-state:User-Name to iser-linauth etc.
I'm not sure if I'm tying myself in knots here. Basically, in the past we've decided on the user's VLAN in outer post-auth based on their inner username, which we access like %{reply:User-Name} with use_tunneled_reply=yes. This doesn't work with resumed sessions in FR3 like it did on FR2 and we haven't been able to figure out why.
We reworked some of the SSL cache, which was required for new features. It *should* continue to work, though.
But if you're putting attributes into the session-state list, they will remain there for the lifetime of the authentication session. i.e. NOT the SSL session. The "session-state" list is NOT an SSL cache, and has nothing to do with SSL.
The SSL cache remains the same in v3.0 as in v2.2. But again, putting things into session-state does NOT put them in the SSL cache.
Alan DeKok.
Thanks, this helps with the clarity. What I think I need to do is store the Inner-User-Name in the SSL cache so when the session later gets resumed, we can use the Inner-User-Name to make a VLAN decision. How can I add specific attributes to the SSL cache? Thanks, Jonathan