Force update of TLS cache

[Jonathan Gazeley]

On 29/02/16 16:30, Alan DeKok wrote:
> On Feb 29, 2016, at 11:26 AM, Jonathan Gazeley <Jonathan.Gazeley at bristol.ac.uk> wrote:
>> The debug log shows that TLS-Session-Id is created in packet 4, in the outer authorize section.
>
>    OK, so it should be available in the request.
>
>    You may have to copy it to session-state, so it's available in later packets.
>
>> And it does this:
>>
>> (6)        update request {
>> (6)          TLS-Session-Id skipped: No values available
>> (6)        } # update request (noop)
>>
>> I don't understand why the attribute is not available later on in the same session.
>
>    Because it's not being added to the session-state attributes.  Again, "request" is PER PACKET.  "session-state" is for the SESSION.
>
>    Adding something to the request in packet 4 means ti's not available in the request in packet 6.  That's what the session-state is for.
>
>    The default config should probably add TLS-Session-Id to session-state.  I'll take a look.  But for you, you'll have to do it manually.
>

OK, thanks. Sorry to keep coming back to you - I'm having trouble 
getting TLS-Session-Id into session-state.

I'm using this unlang snippet to do the assignment:

update session-state {
     TLS-Session-Id := &TLS-Session-Id
}

I've placed it in various places in the outer server, immediately after 
the eap module has been called in authorize{}, immediately after the eap 
module has been called in authenciate{}, and inside and outside the 
Auth-Type eap subsection inside authenticate{}. I would think it should 
be available immediately after the eap module has done its thing.

All of these positions cause it to fail with the following error:

(6)        update request {
(6)          TLS-Session-Id skipped: No values available
(6)        } # update request (noop)

Thanks,
Jonathan