reauth-problem with WPA2-tls

Bjørn Mork bjorn at mork.no
Fri Jun 4 14:13:01 CEST 2010


Andreas Hartmann <andihartmann at 01019freenet.de> writes:

> Fri Jun  4 11:22:48 2010 : Info: [tls] WARNING: No information in
> 					^^^^^^^^^^^^^^^^^^^^^^^^^
> cached session!
> ^^^^^^^^^^^^^^^
>
> Fri Jun  4 11:22:48 2010 : Info: [eap] Freeing handler
> Fri Jun  4 11:22:48 2010 : Info: ++[eap] returns reject
> Fri Jun  4 11:22:48 2010 : Info: Failed to authenticate the user.
> Fri Jun  4 11:22:48 2010 : Auth: Login incorrect: [myuser at mydom] (from
> client WAP610N port 0 cli 00-13-....)
> Fri Jun  4 11:22:48 2010 : Info: Using Post-Auth-Type Reject
> Fri Jun  4 11:22:48 2010 : Info: +- entering group REJECT {...}
> Fri Jun  4 11:22:48 2010 : Info: [attr_filter.access_reject]    expand:
> %{User-Name} -> myuser at mydom
> Fri Jun  4 11:22:48 2010 : Debug:  attr_filter: Matched entry DEFAULT at
> line 11
> Fri Jun  4 11:22:48 2010 : Info: ++[attr_filter.access_reject] returns
> updated
> Fri Jun  4 11:22:48 2010 : Info: Delaying reject of request 11 for 1 seconds
>
>
> What does it mean: No information in cached session? Couldn't the key be
> found (what's the key? The username "myuser" or "myuser at mydom" or
> soemthing else - do I have the chance to debug it?) or was the key
> found, but there was no data associated?

I wondered about the same...  You can find the session store and
retrieve code in src/modules/rlm_eap/libeap/eap_tls.c :

	} else if (!SSL_session_reused(tls_session->ssl)) {
		RDEBUG2("Saving response in the cache");
		
		vp = paircopy2(request->reply->vps, PW_USER_NAME);
		pairadd(&vps, vp);
		
		vp = paircopy2(request->packet->vps, PW_STRIPPED_USER_NAME);
		pairadd(&vps, vp);
		
		if (vps) {
			SSL_SESSION_set_ex_data(tls_session->ssl->session,
						eaptls_session_idx, vps);
		} else {
			RDEBUG2("WARNING: No information to cache: session caching will be disabled for this session.");
			SSL_CTX_remove_session(tls_session->ctx,
					       tls_session->ssl->session);
		}

		/*
		 *	Else the session WAS allowed.  Copy the cached
		 *	reply.
		 */

	} else {
	       
		vp = SSL_SESSION_get_ex_data(tls_session->ssl->session,
					     eaptls_session_idx);
		if (!vp) {
			RDEBUG("WARNING: No information in cached session!");
			return eaptls_fail(handler, peap_flag);
		} else {
			RDEBUG("Adding cached attributes to the reply:");
			debug_pair_list(vp);
			pairadd(&request->reply->vps, paircopy(vp));

			/*
			 *	Mark the request as resumed.
			 */
			vp = pairmake("EAP-Session-Resumed", "1", T_OP_SET);
			if (vp) pairadd(&request->packet->vps, vp);
		}
	}


So I guess the warning means that either SSL_SESSION_set_ex_data() or
SSL_SESSION_get_ex_data() failed.  A useful change would be testing the
return value of SSL_SESSION_set_ex_data() and print a warning if it
fails, possibly using ERR_get_error() and ERR_error_string() or similar
to get the actual error.  The latter would also be useful in the
SSL_SESSION_get_ex_data() failure case



Bjørn




More information about the Freeradius-Users mailing list