Force update of TLS cache
Jonathan Gazeley
Jonathan.Gazeley at bristol.ac.uk
Mon Feb 29 15:44:30 CET 2016
On 29/02/16 14:01, Alan DeKok wrote:
> On Feb 29, 2016, at 8:34 AM, Jonathan Gazeley <Jonathan.Gazeley at bristol.ac.uk> wrote:
>>
>> In our EAP-PEAP sessions, the typical conversation length is 10 packets. We have TLS caching enabled, but I noticed the TLS cache is populated during packet 4, which is before processing has started on the tunneled authentication.
>
> The session is cached when the TLS connection has been established.
>
>> Is it possible to force an update of the cache entry from the inner-tunnel server e.g. to add attributes that are only available at this stage? I attempted to call an update by doing this in the inner-tunnel server:
>>
>> update control {
>> Cache-TTL := 0
>> }
>> cache_tls_session
>>
>> This caused authentications to fail with "cache_tls_session (fail)" and no further information is given. Is it possible to do this?
>
> It's better to update the cache in the outer post-auth section. The cache key is more likely to be the same.
>
Just tried that. It fails like this:
(9) Running section post-auth from file
/etc/raddb/sites-enabled/eduroamlocal-auth
(9) post-auth {
...
(9) update control {
(9) &control:Cache-TTL := 0
(9) } # update control (noop)
(9) cache_tls_session (fail)
(9) } # post-auth (fail)
Have we got the syntax wrong?
Thanks,
Jonathan
More information about the Freeradius-Users
mailing list