EAP Session Resumption

Phil Mayers p.mayers at imperial.ac.uk
Fri Apr 10 18:14:48 CEST 2015


On 10/04/15 15:47, Donald Sherker wrote:
> I am running FreeRADIUS v3.0.x.  I am trying to enable EAP Session
> Resumption, but I am running into some problems.  In the eap module it
> says that two files will be written per session.  I am never seeing
> the .vps file in the cache directory, and the .asn1 file will be
> written sometimes.

Weird.

The files are written at different times as the data becomes available 
at different times.

Can you show a full debug for a failing case?

>    SSL: wrote session
> f72abc554bb004769d9c8bf121d63a412b519538ece70b34526f42e787bb5b38 to
> /<logdir>/tlscache/f72abc554bb004769d9c8bf121d63a412b519538ece70b34526f42e787bb5b38.asn1
> len=147

Ok.

> (18) eap_peap: WARNING: No information in cached session
> f72abc554bb004769d9c8bf121d63a412b519538ece70b34526f42e787bb5b38

Ok, that implies no value-pairs were read from <sess>.vps. Can you look 
and see if that file is missing, empty, or just has no data?

Are you sure you're returning cacheable VPs? Are you seeing the:

Saving session x vps y in the cache

...debug message in the initial session?


The .vps file should look something like this:

# SSL cached session
SOMEHEX
	Attr = Value,
	Attr2 = Value2

If your inner tunnel doesn't actually return any cacheable attributes 
you'll just get the first two lines and there will be nothing to cache; 
that's

> (18) eap: Freeing handler
>
> The files referred to here was not written at all:

I don't understand. Are you saying the .asn1 files mentioned are not 
written?

> Why would the files be written sometimes and not other times, and why
> are there no vps files for these sessions?

The way the code works is like this:

1. Feed data to OpenSSL

2. OpenSSL calls back into FreeRADIUS to persist the session if it's 
new, or load it from disk if it's old and not in-memory - these 
functions write and read the .asn1 files, respectively.

3. Later, FreeRADIUS either runs an inner auth for new sessions and 
writes the values to the .vps file, or reads them from the .vps file for 
a resumed session.

There are cases where a .asn1 file will exist without a .vps - for 
example, if the client gets as far as establishing the TLS tunnel but 
hangs up before the inner auth completes, there will be no matching 
.vps. I can't remember if I coded for that that use-case :o(

A full debug of the initial session followed by the failing session 
would really help here.

Cheers,
Phil


More information about the Freeradius-Users mailing list