*TLS* Session caching in v3.0.9

Jason Alderfer jha2 at emu.edu
Fri Sep 4 22:57:18 CEST 2015

On Fri, Sep 4, 2015 at 2:38 PM, Alan DeKok <aland at deployingradius.com>

> On Sep 4, 2015, at 12:16 PM, Jason Alderfer <jha2 at emu.edu> wrote:
> > 2.  With the above in place, caching appears to work correctly.  All
> > expected attributes are in the cache, and on session resumption they are
> > read correctly from the cache, however they are not sent back in the
> final
> > reply.  See below.
>   You're not putting anything into session-state.  So when you're taking
> the reply attributes from the &session-state, nothing is there.
>   There's a lot of moving parts here.
> a) attributes which need to be saved across multiple Access-Challenges
> MUST be put into the "session-state" list.
> b) you must set Cached-Session-Policy some time BEFORE the session
> finishes, so that the TLS session is cached, with the policy.
> c) on session resumption, the Cached-Session-Policy is read from the cache
> and put back into the reply list.  The "inner tunnel" isn't executed.
> d) if the next packet is an Access-Accept, you can key off of
> Cached-Session-Policy in the post-auth section, to set your reply attributes
> e) if the next packet is an Access-Challenge, you MUST copy
> Cached-Session-Policy to &session-state, so that it can be used in the next
> Access-Accept
Success!  The crucial missing piece was wrapping my policy processing code
in a "Post-Auth-Type Challenge" so it would be called on session
resumption, and setting values in session-state, not reply, like so:

Post-Auth-Type Challenge {
        if ( reply:Cached-Session-Policy ) {
                if ( reply:Cached-Session-Policy =~ /vlan=(.+)/ ) {
                        update session-state {
                                Reply-Message += "Cached
                                Tunnel-Private-Group-ID := "%{1}"
                                Tunnel-Type := VLAN
                                Tunnel-Medium-Type := IEEE-802

Thanks for your help with this, Alan.  I appreciate your time.

Jason Alderfer

More information about the Freeradius-Users mailing list