reauth-problem with WPA2-tls

Andreas Hartmann andihartmann at 01019freenet.de
Fri Jun 4 12:43:56 CEST 2010


Andreas Hartmann schrieb:
> Alan DeKok schrieb:
>> Andreas Hartmann wrote:
>>> I have one basic question:
>>> There are now two different caches: one in eap (based on ssl) and the
>>> extern cache, rlm_caching.
>>
>>   rlm_caching has nothing to do with EAP.
>>
>>> If I want to use fast_reauth, is it necessary to enable both caches or
>>> must the ssl-cache in eap.conf be disabled to run fast_reauth
>>> successfully with rlm_caching?
>>
>>   The EAP configuration explains what you need to do for fast re-auth.
>>
>>> Meanwhile, I have a configuration, which does a User-Name-based
>>> rlm_caching at the end of the last fragment of the initial
>>> authentication with an originaly empty database.
>>
>>   What is it supposed to do?
>>
>>> But the problem is:
>>>
>>> If the user reconnects or wants to connect initial again, the process is
>>> stopped (with success returned) at the moment, the client sends the
>>> User-Name.
>>> This is wrong. The process can't be interrupted before the key exchange
>>> has been done successfully.
>>> How can this be written in the config-file (authorize-section)?
>>
>>   What do you want to do?
>>
>>   I have no idea why you configured the caching module, and you haven't
>> explained why you configured it.
> 
> Thanks for your reply,
> 
> I configured it, because fast-reauth doesn't work for me.
> 
> - In the wpa_supplicant, fast_reauth is switched to 1.
> - In eap.conf, the cache under tls is enabled.
> 
> Now, wpa_supplicant is started and the client got authenticated. But
> there is a warning nearly at the end of the successfull authentication:
> 
> Fri Jun  4 09:42:11 2010 : Info: [tls] eaptls_verify returned 3
> Fri Jun  4 09:42:11 2010 : Info: [tls] eaptls_process returned 3
> Fri Jun  4 09:42:11 2010 : Info: [tls] Adding user data to cached session
> Fri Jun  4 09:42:11 2010 : Info: [tls] Saving response in the cache
> Fri Jun  4 09:42:11 2010 : Info: [tls] WARNING: No information to
> 				       ^^^^^^^^^^^^^^^^^^^^^^^^^^
> cache: session caching will be disabled for this session.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Meanwhile, I defined a realm (I didn't had any until now). This seems to
make the initial session caching working!


Jun  4 11:12:43 2010 : Info: [tls] ACK handshake is finished
Fri Jun  4 11:12:43 2010 : Info: [tls] eaptls_verify returned 3
Fri Jun  4 11:12:43 2010 : Info: [tls] eaptls_process returned 3
Fri Jun  4 11:12:43 2010 : Info: [tls] Adding user data to cached
				       ^^^^^^^^^^^^^^^^^^^^^^^^^^
session
^^^^^^^

Fri Jun  4 11:12:43 2010 : Info: [tls] Saving response in the cache
Fri Jun  4 11:12:43 2010 : Info: [eap] Freeing handler
Fri Jun  4 11:12:43 2010 : Info: ++[eap] returns ok
Fri Jun  4 11:12:43 2010 : Auth: Login OK: [myuser at mydom] (from client
WAP610N port 0 cli 00-13-....)


But the following fast-reauth doesn't work nevertheless:


Fri Jun  4 11:22:48 2010 : Info: [tls] Done initial handshake
Fri Jun  4 11:22:48 2010 : Info: [tls] <<< TLS 1.0 ChangeCipherSpec
[length 0001]
Fri Jun  4 11:22:48 2010 : Info: [tls] <<< TLS 1.0 Handshake [length
0010], Finished
Fri Jun  4 11:22:48 2010 : Info: [tls]     TLS_accept: SSLv3 read finished A
Fri Jun  4 11:22:48 2010 : Info: [tls]     (other): SSL negotiation
finished successfully
Fri Jun  4 11:22:48 2010 : Debug: SSL Connection Established
Fri Jun  4 11:22:48 2010 : Debug: SSL Application Data
Fri Jun  4 11:22:48 2010 : Info: [tls] eaptls_process returned 3
Fri Jun  4 11:22:48 2010 : Info: [tls] Retrieved session data from
cached session
Fri Jun  4 11:22:48 2010 : Info: [tls] WARNING: No information in
					^^^^^^^^^^^^^^^^^^^^^^^^^
cached session!
^^^^^^^^^^^^^^^

Fri Jun  4 11:22:48 2010 : Info: [eap] Freeing handler
Fri Jun  4 11:22:48 2010 : Info: ++[eap] returns reject
Fri Jun  4 11:22:48 2010 : Info: Failed to authenticate the user.
Fri Jun  4 11:22:48 2010 : Auth: Login incorrect: [myuser at mydom] (from
client WAP610N port 0 cli 00-13-....)
Fri Jun  4 11:22:48 2010 : Info: Using Post-Auth-Type Reject
Fri Jun  4 11:22:48 2010 : Info: +- entering group REJECT {...}
Fri Jun  4 11:22:48 2010 : Info: [attr_filter.access_reject]    expand:
%{User-Name} -> myuser at mydom
Fri Jun  4 11:22:48 2010 : Debug:  attr_filter: Matched entry DEFAULT at
line 11
Fri Jun  4 11:22:48 2010 : Info: ++[attr_filter.access_reject] returns
updated
Fri Jun  4 11:22:48 2010 : Info: Delaying reject of request 11 for 1 seconds


What does it mean: No information in cached session? Couldn't the key be
found (what's the key? The username "myuser" or "myuser at mydom" or
soemthing else - do I have the chance to debug it?) or was the key
found, but there was no data associated?



Kind regards,
Andreas



More information about the Freeradius-Users mailing list