Session caching in v3.0.9

Alan DeKok aland at deployingradius.com
Mon Aug 31 21:12:04 CEST 2015


On Aug 31, 2015, at 2:06 PM, Jason Alderfer <jha2 at emu.edu> wrote:
> I'm having trouble getting session caching to work in 3.0.9.

  What are you trying to cache?  And when?

  It's not clear what you mean by "session caching".

> In my config a user's VLAN is determined based on an LDAP search and in
> some cases by an external program (exec).  This is done in the inner-tunnel.
> 
> For session caching I added the following to post-auth of inner-tunnel:
> 
> if ( reply:Tunnel-Private-group-ID ) {
>         update reply {
>                    Cached-Session-Policy
> :="vlan=%{reply:Tunnel-Private-Group-ID}"
>          }
> }

  Which caches things.  Have you also enabled the "cache" module?  If not, that explains why nothing's being cached.

> And the following to post-auth of default:
> 
> if ( reply:Cached-Session-Policy ) {
>           if ( reply:Cached-Session-Policy =~ /vlan=(.+)/ ) {
>                  update reply {
>                             Reply-Message += "Cached
> policy:%{reply:Cached-Session-Policy}"
>                             Tunnel-Private-Group-ID := "%{1}"
>                             Tunnel-Type := VLAN
>                             Tunnel-Medium-Type := IEEE-802
>                    }
>           }
> }

  That just sets the cache policy.  It does NOT say "run the cache module".

> Question 1:  use_tunneled_reply.  Is it truly deprecated in the case of
> session caching?

  It's deprecated.  You should use "session-state" for attributes which need to be tracked during an ongoing Access-Request / Access-Challenge series of packets.  See raddb/sites-available/default.  Look for "session-state".

  But that is NOT the same as TLS session caching.

>  When I use the alternative given in the example config
> file, I never see any .vps file saved in the disk cache though there is a
> .asn1 file.  When I revert to use_tunneled_reply=yes the .vps files appear
> and their content appears correct.

  Did you configure the TLS session caching in raddb/mods-available/eap?

  This is NOT the same thing as the "cache" module.  And it's NOT the same thing as the session-state.

> Question 2:  See attached debug log.  When a session resumes, the cached
> info appears to be read correctly from the cache (see "Debug: (41)") but it
> never gets sent back in the reply (see "Debug: (42)").

  Try using v3.0.x from github.  It may be better.  I've put a few fixes in which should help.

  And be clear on what you're caching, and why.  The configuration comes with many examples.  Read them.  Follow the examples.  Do ONE thing at a time.

  Alan DeKok.




More information about the Freeradius-Users mailing list