PEAP - fast reconnect

Alan DeKok aland at deployingradius.com
Wed Aug 21 16:28:16 CEST 2019 

On Aug 21, 2019, at 10:18 AM, Marcin Marszałkowski <m.marszal at wp.pl> wrote:
> 
>> What does that mean?  Which "configured folder"?
> I meant „persist_dir”, as it is set in eap module and radius.conf. None of configuration files are missing, everything is in /etc/freeradius/3.0/

  Ok...

> radiusd.conf:

  No, we don't need to see the configuration files.  The documentation says that.

> And persist_dir = "/var/lib/radiusd/tlscache” is empty

  Files get added there only when the user has been authenticated.

> But another part of debug says (rejection is ok - user restricted by logintime):

  It doesn't say "rejection is ok".  it says SOME things succeed (ok), and OTHER things caused a reject.

> (41) eap_peap: Continuing EAP-TLS
> (41) eap_peap: [eaptls verify] = ok
> (41) eap_peap: Done initial handshake
> (41) eap_peap: [eaptls process] = ok
> (41) eap_peap: Session established.  Decoding tunneled attributes
> (41) eap_peap: PEAP state send tlv failure
> (41) eap_peap: Received EAP-TLV response
> 
> (41) eap_peap:   ERROR: The users session was previously rejected: returning reject (again.)
> 
> (41) eap_peap:   This means you need to read the PREVIOUS messages in the debug output
> (41) eap_peap:   to find out the reason why the user was rejected
> (41) eap_peap:   Look for "reject" or "fail".  Those earlier messages will tell you
> (41) eap_peap:   what went wrong, and how to fix the problem

  Those messages could not possibly be any more clear.

  Why are you ignoring the messages that tell you what to do?

> To me it’s not written black on white that cache does work, since persist_dir is empty, I’m not sure of it.

  If the user is rejected, you can't do "fast RE-authentication".  Because the user wasn't authenticated.

  And if the user isn't authenticated, there's no cache entry.

> And that’s why I’ve asked  about cache module.

  So instead of reading the messages in front of you, and following instructions, you look somewhere *else* with a similar name. 

  No, the "cache" module does not magically do TLS session caching.  Nothing in the documentation says it does.  The "cache" module documentation DOES say exactly how that module works.

  Again, read the documentation and the debug output.  I cannot be any more clear on this.  Since you're NOT reading the documentation and debug output, you're just wasting everyones time.

  Alan DeKok.

More information about the Freeradius-Users mailing list