FR 2.1.8 Issue - Unjustified(?) Access-Rejects.

Palmer J.D.F. J.D.F.Palmer at swansea.ac.uk
Wed Jan 13 10:46:35 CET 2010


Thanks for the reply Alan.

>   This means that the session wasn't cached, and they are trying to
> resume a session that never was started.  The change in 2.1.8 is there
> to work around a bug in OpenSSL.

Ok

>   The only other alternative is that they *are* resuming a valid
> session, but (a) after the session has timed out, or (b) where no
> User-Name was cached from the inner tunnel session.

b) is possible due to the point below about cache size.

>   Try increasing the size of the cache.  Try ensuring that there is
> always a User-Name in the inner tunnel.  This user name is cached, and
> is checked on session resumption.

I reinstated 2.1.8 this morning after having set the cache size to
infinity (was the default 255) but the problem still exists.
Caching is enabled in eap.conf, but does fastreauth need to be enabled
in experimental.conf?  It is currently disabled.

Whether this has any bearing on it I'm not sure, but this seems to be
affecting users that use wpa_supplicant more, though Windows users have
also reported the problem.

Thanks,
Jezz.






More information about the Freeradius-Users mailing list