v3.0.12 session resumption
Chris Howley
C.P.Howley at leeds.ac.uk
Wed Feb 1 09:37:10 CET 2017
Hi,
I've looked at the debug output and can see that the Stripped-User-Name is being cached from the first authentication,
9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x42a9f52b4aa0ecd4
(9) eap: Finished EAP session with state 0x42a9f52b4aa0ecd4
(9) eap: Previous EAP request found for state 0x42a9f52b4aa0ecd4, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: caching Stripped-User-Name = "xxxxxx"
(9) eap_peap: Failed to find 'persist_dir' in TLS configuration. Session will not be cached on disk.
(9) eap: Sending EAP Success (code 3) ID 9 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(9) post-auth {
(9) update {
(9) &reply::Stripped-User-Name += &session-state:Stripped-User-Name[*] -> 'xxxxxx'
(9) } # update = noop
(9) [exec] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9) } # else = noop
(9) } # policy remove_reply_message_if_eap = noop
(9) } # post-auth = noop
(9) Sent Access-Accept Id 9 from 127.0.0.1:1812 to 127.0.0.1:46784 length 0
(9) MS-MPPE-Recv-Key = 0x8177f0129e6382a40366474afcbf0ce1aecbfc27dfae28446e9818664682c13e
(9) MS-MPPE-Send-Key = 0x84de4618d9d1bd713ed21ac4f65c10aa1929f907307f5ffa5e09bccbe4096786
(9) EAP-Message = 0x03090004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) Finished request
Am I correct in think that a subsequent authentication from the same client should result in the server looking
in the cache for a SSL session id. If it finds a match the server should skip phase2 for that authentication?
There's no indication in the debug output that the server checks the cache.
Thanks,
Chris
More information about the Freeradius-Users
mailing list