On 04/22/2011 05:00 PM, John Douglass wrote:
Awesome Phil, that was exactly the kind of example that is awesomely
useful :)
I see that by default the username is stored along with this.
[peap] Adding cached attributes to the reply:
User-Name = "jd187"
Cached-Session-Policy = "vlan=316"
Do you know exactly how the session resumption is determined? In the
debug output I see:
As Alan has mentioned, it's SSL/TLS session resumption, as PEAP (and
TTLS, in fact) are built on top of TLS-over-EAP.
Basically once you've done a "full" PEAP authentication once (including
full TLS - exchange certs, negotitate crypto - then a full inner auth
e.g. MSCHAP) the same client/server pair can resume the session in a
cryptographically secure manner, which is both quicker and fewer
round-trips.
In FreeRADIUS case, it just uses the OpenSSL library to store some
additional data in the server "session", namely the values you've seen.
Specifically: it is *only* that client/server pair that can resume a
session, since they are the only entities which have the TLS shared
secret negotiated in the initial full exchange. It's not some sort of
"anything with the same username" thing - it's specific to TLS-based EAP
methods, built on top of TLS session resumption.
So I am assuming that session id is some combination of attributes that
uniquely describe a single particular connection/authentication (I would
No: it's an SSL variable, you don't see or control it, or really need to
worry about it.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
