Hi,

We're fighting duplicate requests due to slow responses because of PEAP-TLS many exchanged packets.


Is FarmSize still unusable when enabling EAP_UseState because the EAP context data isn't shared between the forked childs?

Can Gossip be used to share this state between the childs or the State attribute to balance all requests of one EAP session always to the same child?


I've added this line to all PostAuthHooks and everything seems to work as it should:

my $self = $p->{AuthBy};
my $context = $self->getEAPContext($p);

return
        if Net::SSLeay::session_reused($context->{ssl});

As I currently don't log if an auth was an EAP auth or a session resumption I can't tell if the session resumption works.

Can you please advice how to log session resumption?

Thanks, Alex


On 2016-11-30 18:09, Hartmaier Alexander wrote:
On 2016-11-30 17:45, Heikki Vatiainen wrote:
On 30.11.2016 18.02, Hartmaier Alexander wrote:

Let me clarify our setup:
EAPTLS_CertificateVerifyHook parses the cert issuer and subject and
populates
    $context->{customer} = $customer;
[cut]

Thanks, this clarifies the situation. You need to save information
across resumed authentications.

I assume that the PostAuthHook is also run for resumed sessions but
EAPTLS_CertificateVerifyHook isn't which leads to the lack of the
$context contents and thus the failure of the PostAuthHook.

Correct. Certificate verification runs only during full TLS handshake.
Handler's PostAuthHook runs always when Handler is finishing its work.
It does not matter if the TLS handshake within an AuthBy was full or
resumed.

I'll get back to you about how to save custom information across
resumed authentications. For more about what is saved now, see EAP.pm
and eap_save_resume_context and its counterpart just below. When
thinking about possible options would a hook work for you? Another
possibly might be to automatically save suitably named context
variables, for example $context->{custom_info} would be automatically
saved and restored.

The reason for this change was to allow the user of State attribute
with EAP authentication and more clearly separate information that is
needed during one EAP authentication dialog from information that
needs to be kept across resumed authentications.

Thanks,
Heikki

Correct me if I'm wrong but can a resumed session every be not accepted?
As it means that a successful auth has happened before.
Should a PostAuth hook, or some of the other hooks, be run at all in
this case?
It might make sense to differenciate between an authentication and a
resumption.

As the 'last_reply_attrs' are already stored in the context it might be
the easiest option to either use a different hook instead of PostAuth,
continue using PostAuth if you decide to not call PostAuth for resumed
'auths' or detect the resumption in the Hook and just bail out of it at
the very beginning.


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to