FR 2.1.8 Issue - Unjustified(?) Access-Rejects.

Alan DeKok aland at deployingradius.com
Tue Jan 12 15:11:45 CET 2010


Stefan Winter wrote:
> How does this work together with anonymous outer ids? I.e. if outer
> User-Name = anon at foo.bar and the inner User-Name is stefan at foo.bar, then
> the cache contains a session for stefan at foo.bar

  Yes.

> On session resumption, there is no inner tunnel exchange, there's a
> packet User-Name = anon at foo.bar and an EAP-Message with SSL magic (but
> no inner User-Name)... So how does FreeRADIUS know what to look up in
> the cache? Or am I missing something here?

  There's an SSL identifier associated with the session:

supplicant: I have SSL id 0x282674736733673

server: OK, it's in my cache.

  (Modulo various crypto operations to keep it secure)

  The server uses the Id to find the cache entry, and the cached User-Name.

  Alan DeKok.



More information about the Freeradius-Users mailing list