Cached attributes

Paul Seward Paul.Seward at bristol.ac.uk
Thu Feb 25 13:29:24 CET 2016


On 25 February 2016 at 12:19, Jonathan Gazeley <
Jonathan.Gazeley at bristol.ac.uk> wrote:

>
> - whether they have been suspended for being naughty
>

This is the one which means we're reluctant to cache the vlan attribute
between authentications.  We want to be able to drop people into our
"containment" vlan promptly when we get wind of abusive behaviour, and if
we're caching the vlan itself they won't get put in the new vlan until the
cache entry expires.

To make the decision about whether or not the user needs to be "contained"
we need their actual username (ie from the inner) and not whatever they
happen to tell us their username is in the outer.

Which is when we have a "resumed" session which doesn't run the inner
(because it's being resumed from the tls cache) we're failing to do the
right vlan calculations.

Does that make more sense?

-Paul
-- 
----------------------------------------------------------------------
Paul Seward,    Senior Systems Administrator,    University of Bristol
Paul.Seward at bristol.ac.uk  +44 (0)117 39 41148    GPG Key ID: E24DA8A2
GPG Fingerprint:    7210 4E4A B5FC 7D9C 39F8  5C3C 6759 3937 E24D A8A2


More information about the Freeradius-Users mailing list