Cached attributes

Alan DeKok aland at
Wed Feb 24 15:38:36 CET 2016

On Feb 24, 2016, at 9:24 AM, Jonathan Gazeley <Jonathan.Gazeley at> wrote:
> With your suggested change, for some reason it does a noop

  That's fine.

> (8)        update outer.session-state {
> (8)          &outer.session-state:User-Name = &User-Name -> "iser-linauth at"
> (8)        } # update outer.session-state (noop)

  The "update" section isn't a module, and doesn't have the normal module return codes.

> The outer User-Name should at this point be anonymous at so I would expect this update operation to make a change and set &outer.session-state:User-Name to iser-linauth etc.
> I'm not sure if I'm tying myself in knots here. Basically, in the past we've decided on the user's VLAN in outer post-auth based on their inner username, which we access like %{reply:User-Name} with use_tunneled_reply=yes. This doesn't work with resumed sessions in FR3 like it did on FR2 and we haven't been able to figure out why.

  We reworked some of the SSL cache, which was required for new features.  It *should* continue to work, though.

  But if you're putting attributes into the session-state list, they will remain there for the lifetime of the authentication session.  i.e. NOT the SSL session. The "session-state" list is NOT an SSL cache, and has nothing to do with SSL.

  The SSL cache remains the same in v3.0 as in v2.2.  But again, putting things into session-state does NOT put them in the SSL cache.

  Alan DeKok.

More information about the Freeradius-Users mailing list