Session Resumption fails

[Alexander Clouter]

Panagiotis Georgopoulos <panos at comp.lancs.ac.uk> wrote:
> 
> I have a client machine that authenticates to FreeRadius using 
> EAP-TTLS over Access_Point_1 just fine. When I roam the client to 
> Access_Point_2 and tries to authenticate again to FreeRadius, session 
> resumption seems to be failing with the following error.
> 
> [snipped]
> 
> One thing to note on the above is that there is no cached information, 
> which seems strange as the client was authenticated some minutes over 
> Access_Point_1. The other thing is that user authentication fails 
> completely and the client resides to restart EAP-TTLS from the start 
> that finishes successfully.
> 
The session cache stores what is in the *reply* packet of the inner 
request (if that makes sense).

In your eap.conf file, you refer to a virtual server to palm off 
requests to once the EAP layer has been peeled off.  In that virtual 
server say in the authorize{} section:
----
update reply {
	User-Name := "%{request:User-Name}"
}
----

Now you will find on resumption the username appears magically; session 
resumption is a feature of SSL/TLS and so the user-name is not 
accessible; hence the need to dig into the cache.

I also recommend that you also do:
----
update outer.request {
	User-Name := "%{request:User-Name}"
}
----

This means that when the authentication fails (as a quirk of the inner 
session, post-auth{} and the whole reply packet is no available when an 
inner request Reject's) you have access to the username that was used.

Cheers

-- 
Alexander Clouter
.sigmonster says: And on the eighth day, we bulldozed it.