EAP TLS cache help

Alan DeKok aland at deployingradius.com
Tue Sep 20 22:45:00 CEST 2016


On Sep 20, 2016, at 1:59 PM, Dave Aldwinckle <daldwinc at uwaterloo.ca> wrote:
> I recently configured TLS caching, but I'm seeing some odd behavior that I can't explain. Users are getting authenticated, but I can't tell if there are actually any cache hits.

$ radiusd -X

  That's what it's there for.

  If you can't do that on a production system, clone the config to a new system, and run the tests there.

> In debug I can see the files getting written to disk, but I can't find any log messages that indicate a session was resumed from the cache (maybe I'm not looking for the right message?)

  They're generally only produced in debug mode.

> I'm also having a hard time explaining to myself why there are so many files being written. The cache expiry that I've set is 12 hours.

  You still have to clean up the files manually.  The server doesn't do that for you.

  Write a script which deletes files older than 12 hours.

  Future releases will work better here (3.1 / 4.0).  We've moved away from using OpenSSL's crappy cache, and written our own.  To our (non) surprise, our code works better.  A lot better.  And SSL sessions can then be cached in memory, disk, memcached, redis, ...

  Alan DeKok.




More information about the Freeradius-Users mailing list