how to enable session resumption in fr?

WWF weiweif at 126.com
Mon Aug 9 12:02:52 CEST 2010


dear all, hi!

Now I use fr 2.19 for wimax. The CPE asks for session resumption in TTLS-MACHAPv2. like this:

Mon Aug  9 16:14:16 2010 : Info: [eap] Request found, released from the list
Mon Aug  9 16:14:16 2010 : Info: [eap] EAP/ttls
Mon Aug  9 16:14:16 2010 : Info: [eap] processing type ttls
Mon Aug  9 16:14:16 2010 : Info: [ttls] Authenticate
Mon Aug  9 16:14:16 2010 : Info: [ttls] processing EAP-TLS
Mon Aug  9 16:14:16 2010 : Info: [ttls] eaptls_verify returned 7
Mon Aug  9 16:14:16 2010 : Info: [ttls] Done initial handshake
Mon Aug  9 16:14:16 2010 : Info: [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] 
Mon Aug  9 16:14:16 2010 : Info: [ttls] <<< TLS 1.0 Handshake [length 0010], Finished 
Mon Aug  9 16:14:16 2010 : Info: [ttls]     TLS_accept: SSLv3 read finished A
Mon Aug  9 16:14:16 2010 : Info: [ttls]     (other): SSL negotiation finished successfully
Mon Aug  9 16:14:16 2010 : Debug: SSL Connection Established
Mon Aug  9 16:14:16 2010 : Debug: SSL Application Data
Mon Aug  9 16:14:16 2010 : Info: [ttls] eaptls_process returned 3
Mon Aug  9 16:14:16 2010 : Info: [ttls] Skipping Phase2 due to session resumption
Mon Aug  9 16:14:16 2010 : Info: [ttls] FAIL: Forcibly stopping session resumption as it is not allowed.
Mon Aug  9 16:14:16 2010 : Info: [eap] Freeing handler
Mon Aug  9 16:14:16 2010 : Info: ++[eap] returns reject
Mon Aug  9 16:14:16 2010 : Info: Failed to authenticate the user.
Mon Aug  9 16:14:16 2010 : Info: Using Post-Auth-Type Reject
Mon Aug  9 16:14:16 2010 : Info: +- entering group REJECT {...}
Mon Aug  9 16:14:16 2010 : Info: [attr_filter.access_reject]     expand: %{User-Name} -> B8616F001F47
Mon Aug  9 16:14:16 2010 : Debug:  attr_filter: Matched entry DEFAULT at line 11
Mon Aug  9 16:14:16 2010 : Info: ++[attr_filter.access_reject] returns updated
Mon Aug  9 16:14:16 2010 : Info: Delaying reject of request 69 for 1 seconds
Mon Aug  9 16:14:16 2010 : Debug: Going to the next request
Mon Aug  9 16:14:16 2010 : Debug: Waking up in 0.9 seconds.
Mon Aug  9 16:14:17 2010 : Info: Sending delayed reject for request 69
Sending Access-Reject of id 3 to 25.25.25.25 port 36867
    EAP-Message = 0x043c0004
    Message-Authenticator = 0x00000000000000000000000000000000


But , if I enabled session resumption by setting it in eap.conf by:

#
                  #  Enable it.  The default is "no".
                  #  Deleting the entire "cache" subsection
                  #  Also disables caching.
                  #
                  #  You can disallow resumption for a
                  #  particular user by adding the following
                  #  attribute to the control item list:
                  #
                  #        Allow-Session-Resumption = No
                  #
                  #  If "enable = no" below, you CANNOT
                  #  enable resumption for just one user
                  #  by setting the above attribute to "yes".
                  #
                  enable = yes


then I got:


Mon Aug  9 16:55:26 2010 : Info: [eap] EAP/ttls
Mon Aug  9 16:55:26 2010 : Info: [eap] processing type ttls
Mon Aug  9 16:55:26 2010 : Info: [ttls] Authenticate
Mon Aug  9 16:55:26 2010 : Info: [ttls] processing EAP-TLS
Mon Aug  9 16:55:26 2010 : Info: [ttls] Received TLS ACK
Mon Aug  9 16:55:26 2010 : Info: [ttls] ACK handshake is finished
Mon Aug  9 16:55:26 2010 : Info: [ttls] eaptls_verify returned 3
Mon Aug  9 16:55:26 2010 : Info: [ttls] eaptls_process returned 3
Mon Aug  9 16:55:26 2010 : Info: [ttls] Saving response in the cache
Mon Aug  9 16:55:26 2010 : Info: [ttls] WARNING: No information to cache: session caching will be disabled for this session.
Mon Aug  9 16:55:26 2010 : Info: [eap] Freeing handler
Mon Aug  9 16:55:26 2010 : Info: ++[eap] returns ok
Mon Aug  9 16:55:26 2010 : Info: +- entering group post-auth {...}
Mon Aug  9 16:55:26 2010 : Info: ++[exec] returns noop
Mon Aug  9 16:55:26 2010 : Info:     expand: %{User-Name} -> 1109d0389bf34a72981580a304b50f3b
Mon Aug  9 16:55:26 2010 : Info: ++[reply] returns noop
Mon Aug  9 16:55:26 2010 : Info: [wimax] MIP-RK = 0x61c8c180fc45a070ca34e0d84e905c23329eec7d5ae69fe3f037d0b404988c7fec960a3dfcebba7615bf1a616ae527f699c87a93e29d66dc79f7fb02208fc1c1
Mon Aug  9 16:55:26 2010 : Info: [wimax] MIP-SPI = 29e23a18
Mon Aug  9 16:55:26 2010 : Info: [wimax] WARNING: WiMAX-IP-Technology not found in reply.
Mon Aug  9 16:55:26 2010 : Info: [wimax] WARNING: Not calculating MN-HA keys
Mon Aug  9 16:55:26 2010 : Info: ++[wimax] returns updated
Mon Aug  9 16:55:26 2010 : Info:     expand: %{EAP-MSK} ->
Mon Aug  9 16:55:26 2010 : Info:     expand: %{User-Name} -> 1109d0389bf34a72981580a304b50f3b
Mon Aug  9 16:55:26 2010 : Info:     expand: %{md5:%{User-Name}} -> 879d5828deac9e6abd6b86721968d541
Mon Aug  9 16:55:26 2010 : Info: ++[reply] returns updated
Sending Access-Accept of id 7 to 25.25.25.25 port 36867

And when resumption:

Mon Aug  9 16:53:46 2010 : Info: [eap] Request found, released from the list
Mon Aug  9 16:53:46 2010 : Info: [eap] EAP/ttls
Mon Aug  9 16:53:46 2010 : Info: [eap] processing type ttls
Mon Aug  9 16:53:46 2010 : Info: [ttls] Authenticate
Mon Aug  9 16:53:46 2010 : Info: [ttls] processing EAP-TLS
Mon Aug  9 16:53:46 2010 : Info: [ttls] eaptls_verify returned 7
Mon Aug  9 16:53:46 2010 : Info: [ttls] Done initial handshake
Mon Aug  9 16:53:46 2010 : Info: [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] 
Mon Aug  9 16:53:46 2010 : Info: [ttls] <<< TLS 1.0 Handshake [length 0010], Finished 
Mon Aug  9 16:53:46 2010 : Info: [ttls]     TLS_accept: SSLv3 read finished A
Mon Aug  9 16:53:46 2010 : Info: [ttls]     (other): SSL negotiation finished successfully
Mon Aug  9 16:53:46 2010 : Debug: SSL Connection Established
Mon Aug  9 16:53:46 2010 : Debug: SSL Application Data
Mon Aug  9 16:53:46 2010 : Info: [ttls] eaptls_process returned 3
Mon Aug  9 16:53:46 2010 : Info: [ttls] Skipping Phase2 due to session resumption
Mon Aug  9 16:53:46 2010 : Info: [ttls] WARNING: No information in cached session!
Mon Aug  9 16:53:46 2010 : Info: [eap] Freeing handler
Mon Aug  9 16:53:46 2010 : Info: ++[eap] returns reject
Mon Aug  9 16:53:46 2010 : Info: Failed to authenticate the user.
Mon Aug  9 16:53:46 2010 : Info: Using Post-Auth-Type Reject
Mon Aug  9 16:53:46 2010 : Info: +- entering group REJECT {...}
Mon Aug  9 16:53:46 2010 : Info: [attr_filter.access_reject]     expand: %{User-Name} -> 5e6b5185dcc44c0db5e23c6f0668c7a6
Mon Aug  9 16:53:46 2010 : Debug:  attr_filter: Matched entry DEFAULT at line 11
Mon Aug  9 16:53:46 2010 : Info: ++[attr_filter.access_reject] returns updated
Mon Aug  9 16:53:46 2010 : Info: Delaying reject of request 109 for 1 seconds
Mon Aug  9 16:53:46 2010 : Debug: Going to the next request


I don't know how to set the following:

#  You can disallow resumption for a
                  #  particular user by adding the following
                  #  attribute to the control item list:
                  #
                  #        Allow-Session-Resumption = No

It seems this attr can't be added into the access-xxx messages.

How can I do to enable session resumption in fr?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100809/c92e6919/attachment.html>


More information about the Freeradius-Users mailing list