Example of how to use caching (Cached-Session-Policy)?

Phil Mayers p.mayers at imperial.ac.uk
Sat Apr 23 12:20:27 CEST 2011


On 04/22/2011 05:00 PM, John Douglass wrote:
> Awesome Phil, that was exactly the kind of example that is awesomely
> useful :)
>
> I see that by default the username is stored along with this.
>
> [peap] Adding cached attributes to the reply:
> User-Name = "jd187"
> Cached-Session-Policy = "vlan=316"
>
> Do you know exactly how the session resumption is determined? In the
> debug output I see:

As Alan has mentioned, it's SSL/TLS session resumption, as PEAP (and 
TTLS, in fact) are built on top of TLS-over-EAP.

Basically once you've done a "full" PEAP authentication once (including 
full TLS - exchange certs, negotitate crypto - then a full inner auth 
e.g. MSCHAP) the same client/server pair can resume the session in a 
cryptographically secure manner, which is both quicker and fewer 
round-trips.

In FreeRADIUS case, it just uses the OpenSSL library to store some 
additional data in the server "session", namely the values you've seen.

Specifically: it is *only* that client/server pair that can resume a 
session, since they are the only entities which have the TLS shared 
secret negotiated in the initial full exchange. It's not some sort of 
"anything with the same username" thing - it's specific to TLS-based EAP 
methods, built on top of TLS session resumption.

> So I am assuming that session id is some combination of attributes that
> uniquely describe a single particular connection/authentication (I would

No: it's an SSL variable, you don't see or control it, or really need to 
worry about it.



More information about the Freeradius-Users mailing list