Re: PEAP-MSCHAPv2: Cannot recover attributes from TLS Session Cache
Brian Julin wrote:
Wussler, Doug wrote: But now I am trying to add TLS Session Cache, which looks like an under-appreciated and very cool capability.
I jotted some notes on how we got it working here. Not quite sure if there have been tweaks since then, but give this a whir:
http://lists.freeradius.org/pipermail/freeradius-users/2016-January/081595 .html
Brian - I¹m grateful for the effort you put into your reply. Indeed, you did provide the clue I needed. In my case all I needed to add was the ³Post-Auth-Type Challenge² clause to my outer tunnel. Looks like we now have fast-reconnect working! Should have a large impact here. Perhaps there is something else I don¹t understand but it does not look like ³use_tunneled_reply² in the eap module is really deprecated. I can¹t get anything to work without that. In any case, thank you very much. I appreciate your help. Doug Wussler Florida State University
Wussler, Doug wrote:
Perhaps there is something else I don¹t understand but it does not look like ³use_tunneled_reply² in the eap module is really deprecated. I can¹t get anything to work without that.
It's been removed in the 3.2.x devel branch. I'm not sure how recent you have to be to get by without it, I was on 3.0.11 when I built that config. Probably you'd need some of the other stanzas in that post to pull values into/out of the session-state to pop them out of the inner tunnel. I'd post a fully worked example, but ours is a more complicated setup than people really need since we have a 3rd party NAC sandwiched between instances on our FreeRADIUS server. (Not something I'd recommend and I'd ditch this whole setup if I had the option.)
On 5 Aug 2016, at 11:36, Brian Julin <BJulin@clarku.edu> wrote:
Wussler, Doug wrote:
Perhaps there is something else I don¹t understand but it does not look like ³use_tunneled_reply² in the eap module is really deprecated. I can¹t get anything to work without that.
It's been removed in the 3.2.x devel branch.
I'm not sure how recent you have to be to get by without it,
Use the outer.session-state list to build the reply, and copy the contents across in post-auth. It’ll work in v3.0.x too and is less magical. # Outer post-auth { update { &reply: += &session-state:[*] } } From an architectural point of view the option was wrong, and was preventing us from moving to a clean design for protocol nesting. When you proxy to the inner tunnel, what you’re actually doing is decoding the TLVs from the EAP method, and creating a fake request with them, so the reply list from the inner tunnel server should be encoded as EAP method TLVs, it shouldn’t contain any RADIUS attributes, only EAP method attributes. This is important for things like the SoH module, which can actually run equally well with DHCP or PEAPv0. In terms of usability improvementsWe could also represent session-state as a request qualifier i.e. session.reply That’d allow all lists to be represented, and maybe the reply to be automatically merged? Does seem a bit more friendly. -Arran
participants (3)
-
Arran Cudbard-Bell -
Brian Julin -
Wussler, Doug