Session Resumption fails

Alexander Clouter alex at
Thu Sep 23 08:21:24 CEST 2010

Panagiotis Georgopoulos <panos at> wrote:
> I have a client machine that authenticates to FreeRadius using 
> EAP-TTLS over Access_Point_1 just fine. When I roam the client to 
> Access_Point_2 and tries to authenticate again to FreeRadius, session 
> resumption seems to be failing with the following error.
> [snipped]
> One thing to note on the above is that there is no cached information, 
> which seems strange as the client was authenticated some minutes over 
> Access_Point_1. The other thing is that user authentication fails 
> completely and the client resides to restart EAP-TTLS from the start 
> that finishes successfully.
The session cache stores what is in the *reply* packet of the inner 
request (if that makes sense).

In your eap.conf file, you refer to a virtual server to palm off 
requests to once the EAP layer has been peeled off.  In that virtual 
server say in the authorize{} section:
update reply {
	User-Name := "%{request:User-Name}"

Now you will find on resumption the username appears magically; session 
resumption is a feature of SSL/TLS and so the user-name is not 
accessible; hence the need to dig into the cache.

I also recommend that you also do:
update outer.request {
	User-Name := "%{request:User-Name}"

This means that when the authentication fails (as a quirk of the inner 
session, post-auth{} and the whole reply packet is no available when an 
inner request Reject's) you have access to the username that was used.


Alexander Clouter
.sigmonster says: And on the eighth day, we bulldozed it.

More information about the Freeradius-Users mailing list