FR3 and EAP-TLS session cache

[Jüri Palis]

Hi,


This my eap configuration. In-memory cache is enabled, persistent cache is not as there is no path defined (persist_dir) for saving session data. 

Thu Jun 18 07:30:20 2015 : Debug:    # Linked to sub-module rlm_eap_tls
Thu Jun 18 07:30:20 2015 : Debug:    tls {
Thu Jun 18 07:30:20 2015 : Debug:       tls = "tls-common"
Thu Jun 18 07:30:20 2015 : Debug:       virtual_server = "check-eap-tls"
Thu Jun 18 07:30:20 2015 : Debug:    }
Thu Jun 18 07:30:20 2015 : Debug:    tls-config tls-common {
Thu Jun 18 07:30:20 2015 : Debug:       rsa_key_exchange = no
Thu Jun 18 07:30:20 2015 : Debug:       dh_key_exchange = yes
Thu Jun 18 07:30:20 2015 : Debug:       rsa_key_length = 512
Thu Jun 18 07:30:20 2015 : Debug:       dh_key_length = 512
Thu Jun 18 07:30:20 2015 : Debug:       verify_depth = 0
Thu Jun 18 07:30:20 2015 : Debug:       pem_file_type = yes
Thu Jun 18 07:30:20 2015 : Debug:       private_key_file = "/etc/raddb/certs/radius.key"
Thu Jun 18 07:30:20 2015 : Debug:       certificate_file = "/etc/raddb/certs/radius.crt"
Thu Jun 18 07:30:20 2015 : Debug:       ca_file = "/etc/raddb/certs/root_ca.crt"
Thu Jun 18 07:30:20 2015 : Debug:       private_key_password = “xxxxxx"
Thu Jun 18 07:30:20 2015 : Debug:       dh_file = "/etc/raddb/certs/dh"
Thu Jun 18 07:30:20 2015 : Debug:       fragment_size = 1024
Thu Jun 18 07:30:20 2015 : Debug:       include_length = yes
Thu Jun 18 07:30:20 2015 : Debug:       check_crl = no
Thu Jun 18 07:30:20 2015 : Debug:       cipher_list = "ALL:!MEDIUM:!LOW"
Thu Jun 18 07:30:20 2015 : Debug:       check_cert_issuer = “/DC=com/DC=example/CN=RootCA”
Thu Jun 18 07:30:20 2015 : Debug:       ecdh_curve = "prime256v1"
Thu Jun 18 07:30:20 2015 : Debug:     cache {
Thu Jun 18 07:30:20 2015 : Debug:       enable = yes
Thu Jun 18 07:30:20 2015 : Debug:       lifetime = 24
Thu Jun 18 07:30:20 2015 : Debug:       max_entries = 255
Thu Jun 18 07:30:20 2015 : Debug:     }
Thu Jun 18 07:30:20 2015 : Debug:     verify {
Thu Jun 18 07:30:20 2015 : Debug:     }
Thu Jun 18 07:30:20 2015 : Debug:     ocsp {
Thu Jun 18 07:30:20 2015 : Debug:       enable = no
Thu Jun 18 07:30:20 2015 : Debug:       override_cert_url = yes
Thu Jun 18 07:30:20 2015 : Debug:       url = "http://127.0.0.1/ocsp/"
Thu Jun 18 07:30:20 2015 : Debug:       use_nonce = yes
Thu Jun 18 07:30:20 2015 : Debug:       timeout = 0
Thu Jun 18 07:30:20 2015 : Debug:       softfail = no
Thu Jun 18 07:30:20 2015 : Debug:     }
Thu Jun 18 07:30:20 2015 : Debug:    }

It’s done more or less the way comments in original eap configuration file instruct. 

>> But I had an impression that in-memory and persistent cache behave exactly the same way except persistent cache can survive daemon restarts. So what you are saying is that EAP-TLS session resumption works only when persistent disk caching is enabled?
> 
>  No.  My tests show that if you enable the "cache" sub-section of the EAP module, it does in-memory session caching.
> 
>  You MUST set attributes to cache.  See raddb/mods-available/eap, and the “cache" sub-section.

What does this mean? Do I have to explicitly define a list of attributes including TLS-* which must be stored in cache?

> 
>  The TLS-* attributes are available ONLY when a client certificate is used, as with EAP-TLS.

This is exactly the case here, clients authenticate with certificates, that’s the whole point of EAP-TLS

> 
>  It works in all of my tests.
> 

Did you test Win7 supplicant with EAP-TLS? Did you test configuration with ‘check-eap-tls’?

Regards,
Jyri.