EAP-TLS context uninitialized

Franks Andy (IT Technical Architecture Manager) Andy.Franks at sath.nhs.uk
Wed Jan 6 15:37:05 CET 2016 

Hi,
  Yes, caching is switched on with both instances. Apt cache reports: Version: 1.0.1e-3ubuntu1 (FR reports 1.0.1e release) on both servers. If I disable caching on the newer, the issue goes away. I do remember being told to remove lifetime and caching options for the eap cache configuration when I compiled the newer version come to think of it, so I guess something has altered internally (read "made better/shinier/better mannered!")
I'll have a look at what I'd need to do to get 1.0.2 openssl going on the server I've got.
Thanks
Andy


> On Jan 5, 2016, at 2:28 PM, Franks Andy (IT Technical Architecture Manager) <Andy.Franks at sath.nhs.uk> wrote:
> 
> Hi Arran,
>  I'll check the NAS but am confused as it should (to me) have been a problem before. Pre-auth is turned on, but never caused a problem previously.

That's different, you're talking about 802.11 PMK caching, this is TLS session resumption where the keys, certificates, and negotiated cipher suites from a previous TLS session are re-used.

TLS session resumption controlled by the cache section in the eap configuration file.  Should be a toggle.  If it's not there try using an updated version of the mods-available/eap file, many settings for cache control have changed.

> It seems to be generally worse when there are lots of auth requests, but then sometimes there's just one happening and it'll do it. It's not related to client detail, as sometimes a specific client is fine, and on another occasion it'll fail.
> I've yet to check it in non-debug mode, which is a bit daft of me, it's obviously running single threaded and echoing to screen, maybe that's slowing it to "not coping" point.

Not unless you're putting significant load on it.

> I'll keep digging, guess there's nothing obvious between versions?

No, and i've never seen that message before, but we have rewritten a lot of the EAP-TLS code in v3.1.x.

Knowing OpenSSL version would be useful too (output at the top of the radiusd -X output), I mostly test with 1.0.2 Travis will probably be 0.9.8 so interactions with 1.0.0 and 1.0.1 are not well tested.

-Arran

More information about the Freeradius-Users mailing list