Re: *TLS* Session caching in v3.0.9
On Mon, Aug 31, 2015 at 3:12 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Aug 31, 2015, at 2:06 PM, Jason Alderfer <jha2@emu.edu> wrote:
I'm having trouble getting session caching to work in 3.0.9.
It's not clear what you mean by "session caching".
I want to use TLS session caching to enable TLS session resumption aka MS "fast reconnect". In the TLS session cache I want to store a VLAN value to be sent back in the TLS session resumptions. Did you configure the TLS session caching in raddb/mods-available/eap?
Yes. It is enabled. This is NOT the same thing as the "cache" module. And it's NOT the same
thing as the session-state.
Question 2: See attached debug log. When a session resumes, the cached info appears to be read correctly from the cache (see "Debug: (41)") but it never gets sent back in the reply (see "Debug: (42)").
Try using v3.0.x from github. It may be better. I've put a few fixes in which should help.
Testing with v3.0.x. What I found: 1. In order to get TLS sessions to be cached without needing to enable use_tunneled_reply = yes, I had to put the following in the "authorize" section of "default" so that it came before the eap module was called. Otherwise eap didn't find anything to cache. update { &reply: += &session-state: } if ( &reply:Cached-Session-Policy ) { if ( &reply:Cached-Session-Policy =~ /vlan=(.+)/ ) { update reply { Reply-Message += "Cached policy:%{reply:Cached-Session-Policy}" Tunnel-Private-Group-ID := "%{1}" Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 } } } 2. With the above in place, caching appears to work correctly. All expected attributes are in the cache, and on session resumption they are read correctly from the cache, however they are not sent back in the final reply. See below. [...] Fri Sep 4 11:41:29 2015 : Debug: (14) eap_peap: SSL Connection Established Fri Sep 4 11:41:29 2015 : Debug: (14) eap_peap: SSL Application Data Fri Sep 4 11:41:29 2015 : Debug: (14) eap_peap: Adding cached attributes from session f2da74c194f913b553b402be956fef89d955c31ac3438cfd3d173e803d37c269 Fri Sep 4 11:41:29 2015 : Debug: (14) eap_peap: reply:User-Name += "alderfjh" Fri Sep 4 11:41:29 2015 : Debug: (14) eap_peap: reply:Cached-Session-Policy += "vlan=3" Fri Sep 4 11:41:29 2015 : Debug: (14) eap_peap: [eaptls process] = success Fri Sep 4 11:41:29 2015 : Debug: (14) eap_peap: Session established. Decoding tunneled attributes Fri Sep 4 11:41:29 2015 : Debug: (14) eap_peap: PEAP state TUNNEL ESTABLISHED Fri Sep 4 11:41:29 2015 : Debug: (14) eap_peap: Skipping Phase2 because of session resumption Fri Sep 4 11:41:29 2015 : Debug: (14) eap_peap: SUCCESS Fri Sep 4 11:41:29 2015 : Debug: (14) eap: Sending EAP Request (code 1) ID 5 length 43 Fri Sep 4 11:41:29 2015 : Debug: (14) eap: EAP session adding &reply:State = 0x0a356ef1083077e4 Fri Sep 4 11:41:29 2015 : Debug: (14) modsingle[authenticate]: returned from eap (rlm_eap) for request 14 Fri Sep 4 11:41:29 2015 : Debug: (14) [eap] = handled Fri Sep 4 11:41:29 2015 : Debug: (14) } # authenticate = handled Fri Sep 4 11:41:29 2015 : Debug: (14) Using Post-Auth-Type Challenge Fri Sep 4 11:41:29 2015 : Debug: (14) Post-Auth-Type sub-section not found. Ignoring. Fri Sep 4 11:41:29 2015 : Debug: (14) # Executing group from file /usr/local/etc/raddb/sites-enabled/default Fri Sep 4 11:41:29 2015 : Debug: (14) session-state: Nothing to cache Fri Sep 4 11:41:29 2015 : Debug: (14) Sent Access-Challenge Id 161 from 10.3.20.8:1812 to 10.3.20.20:32858 length 0 Fri Sep 4 11:41:29 2015 : Debug: (14) User-Name += "alderfjh" Fri Sep 4 11:41:29 2015 : Debug: (14) EAP-Message = 0x0105002b1900170301002089c927cc662723556271f795130acfbd6f74cf74844c6194fc8edf6008822831 Fri Sep 4 11:41:29 2015 : Debug: (14) Message-Authenticator = 0x00000000000000000000000000000000 Fri Sep 4 11:41:29 2015 : Debug: (14) State = 0x0a356ef1083077e4f2094fd2b79c8abb Fri Sep 4 11:41:29 2015 : Debug: (14) Finished request [...] Fri Sep 4 11:41:29 2015 : Debug: (15) Received Access-Request Id 141 from 10.3.20.20:32858 to 10.3.20.8:1812 length 317 Fri Sep 4 11:41:29 2015 : Debug: (15) User-Name = "alderfjh" Fri Sep 4 11:41:29 2015 : Debug: (15) NAS-IP-Address = 192.168.20.2 Fri Sep 4 11:41:29 2015 : Debug: (15) NAS-Port = 0 Fri Sep 4 11:41:29 2015 : Debug: (15) NAS-Identifier = "192.168.20.2" Fri Sep 4 11:41:29 2015 : Debug: (15) NAS-Port-Type = Wireless-802.11 Fri Sep 4 11:41:29 2015 : Debug: (15) Calling-Station-Id = "BC6E64721BDA" Fri Sep 4 11:41:29 2015 : Debug: (15) Called-Station-Id = "000B86612D64" Fri Sep 4 11:41:29 2015 : Debug: (15) Service-Type = Login-User Fri Sep 4 11:41:29 2015 : Debug: (15) Framed-MTU = 1100 Fri Sep 4 11:41:29 2015 : Debug: (15) EAP-Message = 0x0205005019001703010020b1e84bef14eb5dc34d86f50ad057aab7481972c63dcb75bcb83bdd08af79d8aa17030100206040b54b4046a27a7e464b0c4168296c41675fd2fd609d882b352a400c8e8fbb Fri Sep 4 11:41:29 2015 : Debug: (15) State = 0x0a356ef1083077e4f2094fd2b79c8abb Fri Sep 4 11:41:29 2015 : Debug: (15) Aruba-Essid-Name = "EMU-testdad" Fri Sep 4 11:41:29 2015 : Debug: (15) Aruba-Location-Id = "NL1-1st-great-lounge-103-ap65" Fri Sep 4 11:41:29 2015 : Debug: (15) Aruba-AP-Group = "NL-master-only-normal-ARM" Fri Sep 4 11:41:29 2015 : Debug: (15) Message-Authenticator = 0xe57b4ba73dfd4ebcb4fcd80cf4f1cbe3 Fri Sep 4 11:41:29 2015 : Debug: (15) session-state: No cached attributes Fri Sep 4 11:41:29 2015 : Debug: (15) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default Fri Sep 4 11:41:29 2015 : Debug: (15) authorize { Fri Sep 4 11:41:29 2015 : Debug: (15) update { Fri Sep 4 11:41:29 2015 : Debug: (15) No attributes updated Fri Sep 4 11:41:29 2015 : Debug: (15) } # update = noop Fri Sep 4 11:41:29 2015 : Debug: (15) if ( &reply:Cached-Session-Policy ) { Fri Sep 4 11:41:29 2015 : Debug: (15) if ( &reply:Cached-Session-Policy ) -> FALSE [...] Fri Sep 4 11:41:29 2015 : Debug: (15) Sent Access-Accept Id 141 from 10.3.20.8:1812 to 10.3.20.20:32858 length 0 Fri Sep 4 11:41:29 2015 : Debug: (15) MS-MPPE-Recv-Key = 0x9f85989d1bc6533c26517adb7a130fa621c778ebd0d6fcc46319384e279481b4 Fri Sep 4 11:41:29 2015 : Debug: (15) MS-MPPE-Send-Key = 0xebbb603a80d0fe376d053c7101e5d8f8e35464c55efa82305133b0668bcc440a Fri Sep 4 11:41:29 2015 : Debug: (15) User-Name = "alderfjh" Fri Sep 4 11:41:29 2015 : Debug: (15) Finished request
On Sep 4, 2015, at 12:16 PM, Jason Alderfer <jha2@emu.edu> wrote:
Testing with v3.0.x. What I found:
1. In order to get TLS sessions to be cached without needing to enable use_tunneled_reply = yes, I had to put the following in the "authorize" section of "default" so that it came before the eap module was called. Otherwise eap didn't find anything to cache.
OK.
2. With the above in place, caching appears to work correctly. All expected attributes are in the cache, and on session resumption they are read correctly from the cache, however they are not sent back in the final reply. See below.
You're not putting anything into session-state. So when you're taking the reply attributes from the &session-state, nothing is there. There's a lot of moving parts here. a) attributes which need to be saved across multiple Access-Challenges MUST be put into the "session-state" list. b) you must set Cached-Session-Policy some time BEFORE the session finishes, so that the TLS session is cached, with the policy. c) on session resumption, the Cached-Session-Policy is read from the cache and put back into the reply list. The "inner tunnel" isn't executed. d) if the next packet is an Access-Accept, you can key off of Cached-Session-Policy in the post-auth section, to set your reply attributes e) if the next packet is an Access-Challenge, you MUST copy Cached-Session-Policy to &session-state, so that it can be used in the next Access-Accept This is simpler in the v3.1.x branch. You can set a virtual server to run on TLS session cache read / write / delete. You can then cache the TLS session anywhere, and you can cache any kind of attribute from any list. The hard-coded processing of v2 and v3.0 is gone. It's more complicated to set up, but ultimately easier to understand and to use. Alan DeKok.
participants (2)
-
Alan DeKok -
Jason Alderfer