EAP Session resumption && reply attributes

James J J Hooper jjj.hooper at bristol.ac.uk
Sun Jan 17 16:52:32 CET 2010


Hi All,
   When a client does session resumption:

cache { enable = yes} in eap.conf

The session User-Name (from previous access-accept) is restored from the 
cache e.g:

[ttls] Skipping Phase2 due to session resumption
[ttls] Adding cached attributes to the reply:
         User-Name = "ab1234"


In order to also return e.g. VLAN IDs (that could be computed from the 
inner User-Name in a non-session-resumption enabled config), I can move 
the config that sets the VLAN to the outer tunnel post-auth && ensure the 
inner tunnel sets:
   reply:outer User-Name to request:inner User-Name
and then key my VLAN computation (in outer post-auth) from reply:User-Name.

I can see other possibilities to do this (e.g. cache 
Tunnel-Private-Group-Id in the TLS session cache), but the above seems ok 
to me. Can anyone on the list spot any problems, something that I've 
missed / gotchas with the above?

Many thanks,
   James




More information about the Freeradius-Users mailing list