: freeradius-users-
bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+j.d.f.palmer=swansea.ac...@lists.freeradius.org] On Behalf Of
Alan DeKok
Sent: 12 January 2010 11:33
To: FreeRadius users mailing list
Subject: Re: FR 2.1.8 Issue - Unjustified(?) Access
Palmer J.D.F. wrote:
Hi Alan,
I've just been perusing the release notes for 2.1.9 and I see a bug
fix...
Set EAP-Session-Resumed = Yes, not No when session is resumed.
Can you confirm if this is relating to the problem I reported in the
conversation below?
No, it's not.
The fix
No, it's not.
The fix for that issue will be in 2.1.10. If you need it now, see
http://git.freeradius.org, and grab the v2.1.x branch.
Ok thanks Alan. I'll most likely wait until 2.1.10.
Do you have any details on the bug?
Thanks,
Jezz.
-
List info/subscribe/unsubscribe? See
Palmer J.D.F. wrote:
Ok thanks Alan. I'll most likely wait until 2.1.10.
Do you have any details on the bug?
FreeRADIUS requires IDs to uniquely identify each SSL session. At
some point, OpenSSL changed their code to *not* generate or store IDs.
So... many of the assumptions of the server
FreeRADIUS requires IDs to uniquely identify each SSL session. At
some point, OpenSSL changed their code to *not* generate or store IDs.
So... many of the assumptions of the server broke.
Ah, that's helpful. :-D
Thanks for the info Alan.
Cheers,
Jezz.
-
List
Thanks for the reply Alan.
This means that the session wasn't cached, and they are trying to
resume a session that never was started. The change in 2.1.8 is there
to work around a bug in OpenSSL.
Ok
The only other alternative is that they *are* resuming a valid
session, but (a) after
Palmer J.D.F. wrote:
I reinstated 2.1.8 this morning after having set the cache size to
infinity (was the default 255) but the problem still exists.
Caching is enabled in eap.conf, but does fastreauth need to be enabled
in experimental.conf? It is currently disabled.
You are not using
Whether this has any bearing on it I'm not sure, but this seems to
be
affecting users that use wpa_supplicant more, though Windows users
have
also reported the problem.
The sessions *also* have a timeout. Read eap.conf.
Do you mean under the cache directive?
If so that is set to 48
Palmer J.D.F. wrote:
We migrated to 2.1.8 (from 2.1.7) last week while things were quiet, as
the users have re-appeared after the holiday we've started to receive a
few reports from users stating that they have been getting lots of
prompts for credentials.
The log says:
... WARNING: No
Hi,
Is this likely to be a configuration error (no changes were made to the
2.1.7 config), or a bug?
Try increasing the size of the cache. Try ensuring that there is
always a User-Name in the inner tunnel. This user name is cached, and
is checked on session resumption.
How
Stefan Winter wrote:
How does this work together with anonymous outer ids? I.e. if outer
User-Name = a...@foo.bar and the inner User-Name is ste...@foo.bar, then
the cache contains a session for ste...@foo.bar
Yes.
On session resumption, there is no inner tunnel exchange, there's a
packet
Stefan Winter stefan.win...@restena.lu wrote:
Is this likely to be a configuration error (no changes were made to the
2.1.7 config), or a bug?
Try increasing the size of the cache. Try ensuring that there is
always a User-Name in the inner tunnel. This user name is cached, and
is
[1] you need to share the SSL session cache between your different
FreeRADIUS boxen, the support for that is not in OpenSSL yet if
I remember correctly (or was it FreeRADIUS). This would be done
Shared SSL session caches are definitely supported in OpenSSL, and have
been for a while
Shared SSL session caches are definitely supported in OpenSSL, and have
been for a while IIRC; see distcache for info. Whether it's compiled
No wait, I'm talking crap.
Distcache is a layer *on top of* OpenSSL. You have to write for the
distcache API. I had assumed it was a plugin, but no -
Alan DeKok al...@deployingradius.com writes:
Palmer J.D.F. wrote:
We migrated to 2.1.8 (from 2.1.7) last week while things were quiet, as
the users have re-appeared after the holiday we've started to receive a
few reports from users stating that they have been getting lots of
prompts for
15 matches
Mail list logo