Force update of TLS cache

Alan DeKok aland at
Mon Feb 29 15:01:47 CET 2016

On Feb 29, 2016, at 8:34 AM, Jonathan Gazeley <Jonathan.Gazeley at> wrote:
> In our EAP-PEAP sessions, the typical conversation length is 10 packets. We have TLS caching enabled, but I noticed the TLS cache is populated during packet 4, which is before processing has started on the tunneled authentication.

  The session is cached when the TLS connection has been established.

> Is it possible to force an update of the cache entry from the inner-tunnel server e.g. to add attributes that are only available at this stage? I attempted to call an update by doing this in the inner-tunnel server:
> update control {
>    Cache-TTL := 0
> }
> cache_tls_session
> This caused authentications to fail with "cache_tls_session (fail)" and no further information is given. Is it possible to do this?

  It's better to update the cache in the outer post-auth section.  The cache key is more likely to be the same.

  Alan DeKok.

More information about the Freeradius-Users mailing list