Session resumption
Alan DeKok
aland at deployingradius.com
Mon Feb 15 16:11:34 CET 2016
On Feb 15, 2016, at 9:11 AM, Paul Seward <Paul.Seward at bristol.ac.uk> wrote:
>> We've upgraded our FreeRADIUS 2.2.x servers to FreeRADIUS 3.0.11 because
>> it was about time. Since then, we're having a subtle problem with session
>> resumption where in some cases, FreeRADIUS returns two Access-Accept
>> packets, each with differing VLAN information which breaks the client.
One is a resumed session, one isn't a resumed session.
> Further to my colleague Jonathans email from last week, we've now managed
> to reproduce this issue reliably, using eapol_test.
That's good.
> Output of "radiusd -X" covering server startup and a failed test auth can
> be found here
> https://www.wireless.bris.ac.uk/software-archive/fr3-debug-20160215.txt as
> it was too big to attach to this message.
Looking at it there aren't two Access-Accepts. There are two authentications from the client. This is very different.
> However, It appears that on a resumed session, the Reply:User-Name is blank
> after the session details are pulled out of the cache - which is why our
> VLAN selection logic fails to perform as expected. Eg:
You should be able to use the cache module, and not rely on the internal caching.
> I'm hesitant to speculate about what's going on, but it looks to me like
> the cache is being populated with the wrong value for
> Reply:Stripped-User-Name - instead of being a stripped version of the
> Reply:User-Name (from the inner) it's based on the anonymous outer identity.
The server is configurable, so you should be able to edit that.
> [Lines 4315-4317]
> (12) eap_peap: Adding cached attributes from session
> bae26d00e8f00847e2e781985039e5f978cd8856e804b3c7ac6ce276e084f7d9
> (12) eap_peap: reply:User-Name := "iser-linauth at bristol.ac.uk"
> (12) eap_peap: reply:Stripped-User-Name = "anonymous"
That's adding the cached reply to the *non-final* packet. We've re-worked this in v3.1.x by deleting the old SSL session cache, which had issues. It's replaced with the cache module, which is much better.
In 3.0, you should be saving the reply to the session-state list. See raddb/sites-available/default. Look for session-state.
i.e. in packet 12, save the reply attributes User-Name and Stripped-User-Name to session-state. Then, in post-auth, retrieve them, and add them to the reply.
Alan DeKok.
More information about the Freeradius-Users
mailing list