Issues with Cached-Session-Policy in versions of FR after 3.0.8.

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Jan 12 18:18:42 CET 2016 

In v3.1.x:

modules {
	cache cache_tls_session {
		driver          = 'rlm_cache_redis'

		# Alc-Subsc-ID-Str is unique to each class/type of device on a circuit
		# NAS-Port-ID is used as the default by the DR if one is not provided
		# in the Access-Accept
		key             = "cert:tls_session:%{hex:&TLS-Session-ID}"
		ttl		= 86400		# 24 hrs

		# When creating or updating the flow is right to left.
		# When reading/merging the flow is left to right.

		# The cache entry                               # The current request
		update {
			&session-state: += &session-state:[*]
		}
	}
}


server tls-cache {
	#
	#  Only the "authorize" section is needed.
	#  Only the listed Autz-Types are used.
	#  Everything else in the virtual server is ignored.
	#
	#  The attribute &request:TLS-Session-Identity is set to the identity
	#  of the session to read / write / delete from the cache.  This
	#  identity is an opaque blob.
	#
	authorize {
		Autz-Type Session-Cache-Read {
			update control {
				Cache-Allow-Insert := no
			}
			cache_tls_session
		}

		Autz-Type Session-Cache-Write {
			update control {
				Cache-TTL := 0
			}
			cache_tls_session
		}

		Autz-Type Session-Cache-Delete {
			update control {
				Cache-TTL := 0
				Cache-Allow-Insert := no
			}
			cache_tls_session
		}
	}
}

eap {
	tls-common {
		cache {
			enable = yes

			virtual_server = 'tls-cache'
		}
	}
}


Put stuff in session-state and it's automatically restored if the session is resumed... because you're resuming the session, right? and session-state is the state of the session...

The main requirement with this method is that everything you want to store in session-state, is in there by the time the TLS session is ready to be frozen,  so you likely want to run your policies in the post-auth section of the inner tunnel.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160112/5be7d182/attachment.sig>

More information about the Freeradius-Users mailing list