reauth-problem with WPA2-tls

[Andreas Hartmann]

Bjørn Mork schrieb:
> Andreas Hartmann <andihartmann at 01019freenet.de> writes:
> 
>> Fri Jun  4 11:22:48 2010 : Info: [tls] WARNING: No information in
>> 					^^^^^^^^^^^^^^^^^^^^^^^^^
>> cached session!
>> ^^^^^^^^^^^^^^^
>>
>> Fri Jun  4 11:22:48 2010 : Info: [eap] Freeing handler
>> Fri Jun  4 11:22:48 2010 : Info: ++[eap] returns reject
>> Fri Jun  4 11:22:48 2010 : Info: Failed to authenticate the user.
>> Fri Jun  4 11:22:48 2010 : Auth: Login incorrect: [myuser at mydom] (from
>> client WAP610N port 0 cli 00-13-....)
>> Fri Jun  4 11:22:48 2010 : Info: Using Post-Auth-Type Reject
>> Fri Jun  4 11:22:48 2010 : Info: +- entering group REJECT {...}
>> Fri Jun  4 11:22:48 2010 : Info: [attr_filter.access_reject]    expand:
>> %{User-Name} -> myuser at mydom
>> Fri Jun  4 11:22:48 2010 : Debug:  attr_filter: Matched entry DEFAULT at
>> line 11
>> Fri Jun  4 11:22:48 2010 : Info: ++[attr_filter.access_reject] returns
>> updated
>> Fri Jun  4 11:22:48 2010 : Info: Delaying reject of request 11 for 1 seconds
>>
>>
>> What does it mean: No information in cached session? Couldn't the key be
>> found (what's the key? The username "myuser" or "myuser at mydom" or
>> soemthing else - do I have the chance to debug it?) or was the key
>> found, but there was no data associated?
> 
> I wondered about the same...  You can find the session store and
> retrieve code in src/modules/rlm_eap/libeap/eap_tls.c :
> 
> 	} else if (!SSL_session_reused(tls_session->ssl)) {
> 		RDEBUG2("Saving response in the cache");
> 		
> 		vp = paircopy2(request->reply->vps, PW_USER_NAME);
> 		pairadd(&vps, vp);
> 		
> 		vp = paircopy2(request->packet->vps, PW_STRIPPED_USER_NAME);
> 		pairadd(&vps, vp);
> 		
> 		if (vps) {
> 			SSL_SESSION_set_ex_data(tls_session->ssl->session,
> 						eaptls_session_idx, vps);
> 		} else {
> 			RDEBUG2("WARNING: No information to cache: session caching will be disabled for this session.");
> 			SSL_CTX_remove_session(tls_session->ctx,
> 					       tls_session->ssl->session);
> 		}
> 
> 		/*
> 		 *	Else the session WAS allowed.  Copy the cached
> 		 *	reply.
> 		 */
> 
> 	} else {
> 	       
> 		vp = SSL_SESSION_get_ex_data(tls_session->ssl->session,
> 					     eaptls_session_idx);
> 		if (!vp) {
> 			RDEBUG("WARNING: No information in cached session!");
> 			return eaptls_fail(handler, peap_flag);
> 		} else {
> 			RDEBUG("Adding cached attributes to the reply:");
> 			debug_pair_list(vp);
> 			pairadd(&request->reply->vps, paircopy(vp));
> 
> 			/*
> 			 *	Mark the request as resumed.
> 			 */
> 			vp = pairmake("EAP-Session-Resumed", "1", T_OP_SET);
> 			if (vp) pairadd(&request->packet->vps, vp);
> 		}
> 	}
> 
> 
> So I guess the warning means that either SSL_SESSION_set_ex_data() or
> SSL_SESSION_get_ex_data() failed.  A useful change would be testing the
> return value of SSL_SESSION_set_ex_data() and print a warning if it
> fails, possibly using ERR_get_error() and ERR_error_string() or similar
> to get the actual error.  The latter would also be useful in the
> SSL_SESSION_get_ex_data() failure case

Debugging of SSL_SESSION_set_ex_data()

The returncode of the function is 1 (don't know, if it should be 0 - but
it could be correct too, if it means, that one pair has been stored).

vps, which SSL_SESSION_set_ex_data() is given as argument, consists of
one NULL element.

request->packet->vps->name gives User-Name, request->reply-vps is null
(should be PW_USER_NAME). But there cant be any password, because there
exists no password, because the authentication is done exclusively with
keys.
Could this problem be solved by a configuration entry or must it be
hacked? Is it possible to give wpa_supplicant a dummy password?



Debugging of SSL_SESSION_get_ex_data()

At resuming, Index is 2 (eaptls_session_idx). This would be ok. Seems,
that the returncode 1 from SSL_SESSION_set_ex_data() means, that nothing
has been saved.


I would be happy to get some more hints :-).


Kind regards,
Andreas