v3.0.12 SSL session resumption
Chris Howley
C.P.Howley at leeds.ac.uk
Tue Jan 31 13:59:05 CET 2017
Hi,
I'm configuring FR 3.0.12 and I'm unable to get SSL session resumption / fast reauthentication
to work. The first authentication caches the Stripped-User-Name.
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: caching Stripped-User-Name = "XXXXXX"
(9) eap_peap: Failed to find 'persist_dir' in TLS configuration. Session will not be cached on disk.
(9) eap: Sending EAP Success (code 3) ID 9 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/default
The second auth doesn't appear to use the cache but continues to phase 2 auth protocol. I'm I failing to
return the relevant attributes required for session resumption / fast reauthentication to work?
Thanks,
Chris Howley
In the post-auth section of site-enabled/inner-tunnel
#
# Instead of "use_tunneled_reply", uncomment the
# next two "update" blocks.
#
update {
&outer.session-state: += &reply:
}
#
# These attributes are for the inner session only.
# They MUST NOT be sent in the outer reply.
#
# If you uncomment the previous block and leave
# this one commented out, WiFi WILL NOT WORK,
# because the client will get two MS-MPPE-keys
#
update outer.session-state {
MS-MPPE-Encryption-Policy !* ANY
MS-MPPE-Encryption-Types !* ANY
MS-MPPE-Send-Key !* ANY
MS-MPPE-Recv-Key !* ANY
Message-Authenticator !* ANY
EAP-Message !* ANY
Proxy-State !* ANY
}
In eap.conf
cache {
enable = yes
lifetime = 24 # hours
max_entries = 255
#name = "EAP module"
#persist_dir = "${logdir}/tlscache"
}
More information about the Freeradius-Users
mailing list