Setting Cached-Session-Policy
Hi! I am trying to get fast session resumption with VLAN assignments to work. I have tried the suggestion in this message: http://lists.freeradius.org/pipermail/freeradius-users/2011-April/msg00381.h... However, it seems to me as if the post-auth section is too late to set the Cached-Session-Policy. I have added the following to the beginning of the post-auth section in the default site: post-auth { if ( reply:Cached-Session-Policy ) { if ( reply:Cached-Session-Policy =~ /vlan=(.+)/ ) { update reply { Reply-Message += "Cached policy: %{reply:Cached-Session-Policy}" Tunnel-Private-Group-ID := "%{1}" Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 } } } elsif ( reply:Tunnel-Private_group-ID ) { update reply { Cached-Session-Policy := "vlan=%{reply:Tunnel-Private-Group-ID}" } } I can see in the logs that this correctly sets Cached-Session-Policy, e.g. to vlan=10. However, during session resumption it will only add User-Name and Stripped-User-Name. During the initial session setup I can see that attributes are saved into the cache: [peap] Success [peap] Using saved attributes from the original Access-Accept Tunnel-Private-Group-Id:0 = "18" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN User-Name = "vogt" [peap] Saving response in the cache [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++? if (reply:Cached-Session-Policy ) ? Evaluating (reply:Cached-Session-Policy ) -> FALSE ++? if (reply:Cached-Session-Policy ) -> FALSE ++? elsif (reply:Tunnel-Private_group-ID ) ? Evaluating (reply:Tunnel-Private_group-ID ) -> TRUE ++? elsif (reply:Tunnel-Private_group-ID ) -> TRUE ++- entering elsif (reply:Tunnel-Private_group-ID ) {...} expand: vlan=%{reply:Tunnel-Private-Group-ID} -> vlan=18 +++[reply] returns noop ++- elsif (reply:Tunnel-Private_group-ID ) returns noop Now, if I understand the source code correctly, attributes are saved when freeradius logs "Saving response in the cache". I think this means that setting Cached-Session-Policy in post-auth is too late because at point the caching already happened and modifying Cached-Session-Policy won't affect what is stored in the cache. This is what is logged during session resumption: [peap] Adding cached attributes to the reply: User-Name = "vogt" Stripped-User-Name = "vogt" [eap] Freeing handler ++[eap] returns ok Should setting Cached-Session-Policy in post-auth have an effect on cached attributes or not? Cheers, Gerald
On 06/06/2011 04:30 PM, Gerald Vogt wrote:
Hi!
I am trying to get fast session resumption with VLAN assignments to work. I have tried the suggestion in this message: http://lists.freeradius.org/pipermail/freeradius-users/2011-April/msg00381.h...
However, it seems to me as if the post-auth section is too late to set the Cached-Session-Policy. I have added the following to the beginning of the post-auth section in the default site:
Are you setting it in the post-auth of the inner-tunnel?
On 06.06.11 17:46, Phil Mayers wrote:
On 06/06/2011 04:30 PM, Gerald Vogt wrote:
Hi!
I am trying to get fast session resumption with VLAN assignments to work. I have tried the suggestion in this message: http://lists.freeradius.org/pipermail/freeradius-users/2011-April/msg00381.h...
However, it seems to me as if the post-auth section is too late to set the Cached-Session-Policy. I have added the following to the beginning of the post-auth section in the default site:
Are you setting it in the post-auth of the inner-tunnel?
No. In the outer tunnel config. Gerald
participants (2)
-
Gerald Vogt -
Phil Mayers