Folks, I'm having trouble getting session caching to work in 3.0.9. In my config a user's VLAN is determined based on an LDAP search and in some cases by an external program (exec). This is done in the inner-tunnel. For session caching I added the following to post-auth of inner-tunnel: if ( reply:Tunnel-Private-group-ID ) { update reply { Cached-Session-Policy :="vlan=%{reply:Tunnel-Private-Group-ID}" } } And the following to post-auth of default: if ( reply:Cached-Session-Policy ) { if ( reply:Cached-Session-Policy =~ /vlan=(.+)/ ) { update reply { Reply-Message += "Cached policy:%{reply:Cached-Session-Policy}" Tunnel-Private-Group-ID := "%{1}" Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 } } } Question 1: use_tunneled_reply. Is it truly deprecated in the case of session caching? When I use the alternative given in the example config file, I never see any .vps file saved in the disk cache though there is a .asn1 file. When I revert to use_tunneled_reply=yes the .vps files appear and their content appears correct. Question 2: See attached debug log. When a session resumes, the cached info appears to be read correctly from the cache (see "Debug: (41)") but it never gets sent back in the reply (see "Debug: (42)"). What am I doing wrong? Regards, Jason Alderfer
On Aug 31, 2015, at 2:06 PM, Jason Alderfer <jha2@emu.edu> wrote:
I'm having trouble getting session caching to work in 3.0.9.
What are you trying to cache? And when? It's not clear what you mean by "session caching".
In my config a user's VLAN is determined based on an LDAP search and in some cases by an external program (exec). This is done in the inner-tunnel.
For session caching I added the following to post-auth of inner-tunnel:
if ( reply:Tunnel-Private-group-ID ) { update reply { Cached-Session-Policy :="vlan=%{reply:Tunnel-Private-Group-ID}" } }
Which caches things. Have you also enabled the "cache" module? If not, that explains why nothing's being cached.
And the following to post-auth of default:
if ( reply:Cached-Session-Policy ) { if ( reply:Cached-Session-Policy =~ /vlan=(.+)/ ) { update reply { Reply-Message += "Cached policy:%{reply:Cached-Session-Policy}" Tunnel-Private-Group-ID := "%{1}" Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 } } }
That just sets the cache policy. It does NOT say "run the cache module".
Question 1: use_tunneled_reply. Is it truly deprecated in the case of session caching?
It's deprecated. You should use "session-state" for attributes which need to be tracked during an ongoing Access-Request / Access-Challenge series of packets. See raddb/sites-available/default. Look for "session-state". But that is NOT the same as TLS session caching.
When I use the alternative given in the example config file, I never see any .vps file saved in the disk cache though there is a .asn1 file. When I revert to use_tunneled_reply=yes the .vps files appear and their content appears correct.
Did you configure the TLS session caching in raddb/mods-available/eap? This is NOT the same thing as the "cache" module. And it's NOT the same thing as the session-state.
Question 2: See attached debug log. When a session resumes, the cached info appears to be read correctly from the cache (see "Debug: (41)") but it never gets sent back in the reply (see "Debug: (42)").
Try using v3.0.x from github. It may be better. I've put a few fixes in which should help. And be clear on what you're caching, and why. The configuration comes with many examples. Read them. Follow the examples. Do ONE thing at a time. Alan DeKok.
participants (2)
-
Alan DeKok -
Jason Alderfer