Force update of TLS cache

Jonathan Gazeley Jonathan.Gazeley at
Mon Feb 29 15:44:30 CET 2016

On 29/02/16 14:01, Alan DeKok wrote:
> On Feb 29, 2016, at 8:34 AM, Jonathan Gazeley <Jonathan.Gazeley at> wrote:
>> In our EAP-PEAP sessions, the typical conversation length is 10 packets. We have TLS caching enabled, but I noticed the TLS cache is populated during packet 4, which is before processing has started on the tunneled authentication.
>    The session is cached when the TLS connection has been established.
>> Is it possible to force an update of the cache entry from the inner-tunnel server e.g. to add attributes that are only available at this stage? I attempted to call an update by doing this in the inner-tunnel server:
>> update control {
>>     Cache-TTL := 0
>> }
>> cache_tls_session
>> This caused authentications to fail with "cache_tls_session (fail)" and no further information is given. Is it possible to do this?
>    It's better to update the cache in the outer post-auth section.  The cache key is more likely to be the same.

Just tried that. It fails like this:

(9)  Running section post-auth from file 
(9)    post-auth {
(9)      update control {
(9)        &control:Cache-TTL := 0
(9)      } # update control (noop)
(9)      cache_tls_session (fail)
(9)    } # post-auth (fail)

Have we got the syntax wrong?


More information about the Freeradius-Users mailing list