Session Resumption fails

Panagiotis Georgopoulos panos at comp.lancs.ac.uk
Thu Sep 23 11:52:18 CEST 2010 

Hi Alexander, all

	Thanks a lot for your reply. Please see my comments below...


> Panagiotis Georgopoulos <panos at comp.lancs.ac.uk> wrote:
> >
> > I have a client machine that authenticates to FreeRadius using
> > EAP-TTLS over Access_Point_1 just fine. When I roam the client to
> > Access_Point_2 and tries to authenticate again to FreeRadius, session
> > resumption seems to be failing with the following error.
> >
> > [snipped]
> >
> > One thing to note on the above is that there is no cached information,
> > which seems strange as the client was authenticated some minutes over
> > Access_Point_1. The other thing is that user authentication fails
> > completely and the client resides to restart EAP-TTLS from the start
> > that finishes successfully.
> >
> The session cache stores what is in the *reply* packet of the inner
> request (if that makes sense).
> 

Hmm, yes I think I do. So the server keeps the reply of an authentication
and therefore if a client has authenticated successfully before, there
should be a valid entry of his identity in the cache so that Phase 2 of TTLS
in my case would be skipped.


> In your eap.conf file, you refer to a virtual server to palm off
> requests to once the EAP layer has been peeled off.  In that virtual
> server say in the authorize{} section:
> ----
> update reply {
> 	User-Name := "%{request:User-Name}"
> }
> ----
> 
> Now you will find on resumption the username appears magically; session
> resumption is a feature of SSL/TLS and so the user-name is not
> accessible; hence the need to dig into the cache.
>

Residing in the cache, seems reasonable since it is a feature of SSL/TLS.
What I don't get is that since this is a standard EAP-TTLS authentication,
shouldn't resumption be working out of the box? 

So, if full authentication *succeeds* for a client once, then there should
be a cache entry reflecting that so that he won't have to perform full
EAP-TTLS communication if he requests access within the lifetime that the
cache entry is valid (in eap.conf terms ; lifetime = 24 # hours). 

In my tests thought I get "Info: [ttls] WARNING: No information in cached
session!". 


> I also recommend that you also do:
> ----
> update outer.request {
> 	User-Name := "%{request:User-Name}"
> }
> ----
> 
> This means that when the authentication fails (as a quirk of the inner
> session, post-auth{} and the whole reply packet is no available when an
> inner request Reject's) you have access to the username that was used.
> 

Oh.. wait a minute, unless you mean that there is no way for the inner
session, post-auth{} to know the contents of the server's reply in a
previous authentication, which seems like a design flow.

Would adding the outer.request part that you suggested add an entry in the
cache for a successful auth of the inner session?

Cheers,
Panos

More information about the Freeradius-Users mailing list