Example of how to use caching (Cached-Session-Policy)?
Phil Mayers
p.mayers at imperial.ac.uk
Sat Apr 23 12:20:27 CEST 2011
On 04/22/2011 05:00 PM, John Douglass wrote:
> Awesome Phil, that was exactly the kind of example that is awesomely
> useful :)
>
> I see that by default the username is stored along with this.
>
> [peap] Adding cached attributes to the reply:
> User-Name = "jd187"
> Cached-Session-Policy = "vlan=316"
>
> Do you know exactly how the session resumption is determined? In the
> debug output I see:
As Alan has mentioned, it's SSL/TLS session resumption, as PEAP (and
TTLS, in fact) are built on top of TLS-over-EAP.
Basically once you've done a "full" PEAP authentication once (including
full TLS - exchange certs, negotitate crypto - then a full inner auth
e.g. MSCHAP) the same client/server pair can resume the session in a
cryptographically secure manner, which is both quicker and fewer
round-trips.
In FreeRADIUS case, it just uses the OpenSSL library to store some
additional data in the server "session", namely the values you've seen.
Specifically: it is *only* that client/server pair that can resume a
session, since they are the only entities which have the TLS shared
secret negotiated in the initial full exchange. It's not some sort of
"anything with the same username" thing - it's specific to TLS-based EAP
methods, built on top of TLS session resumption.
> So I am assuming that session id is some combination of attributes that
> uniquely describe a single particular connection/authentication (I would
No: it's an SSL variable, you don't see or control it, or really need to
worry about it.
More information about the Freeradius-Users
mailing list