Cached attributes

Alan DeKok aland at deployingradius.com
Thu Feb 25 15:02:30 CET 2016


On Feb 25, 2016, at 7:29 AM, Paul Seward <Paul.Seward at bristol.ac.uk> wrote:
> 
> On 25 February 2016 at 12:19, Jonathan Gazeley <
> Jonathan.Gazeley at bristol.ac.uk> wrote:
> 
>> 
>> - whether they have been suspended for being naughty
>> 
> 
> This is the one which means we're reluctant to cache the vlan attribute
> between authentications.

  In 3.1, you can update the cache remotely, especially if you use redis or memcached.  That can be used to delete existing sessions.

  Or, use CoA, and if the server receives a CoA, delete the cache entry for that user.  That way you can nuke the cache by sending a CoA or Disconnect-Request to the server.

> To make the decision about whether or not the user needs to be "contained"
> we need their actual username (ie from the inner) and not whatever they
> happen to tell us their username is in the outer.

  Exactly.

> Which is when we have a "resumed" session which doesn't run the inner
> (because it's being resumed from the tls cache) we're failing to do the
> right vlan calculations.

  If you cache the Inner-User-Name,  and key off of that for all VLAN decisions, you should be safe.

  e.g.

1) authenticate user, update Inner-User-Name

  a) cache this

  b) in post-auth, send VLAN based on Inner-User-Name

2) on resumption

  a) get Inner-User-Name from the cache

  b) in post-auth, send VLAN based on Inner-User-Name

  Alan DeKok.




More information about the Freeradius-Users mailing list