[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Cached attributes
From: Alan DeKok <aland () deployingradius ! com>
Date: 2016-02-25 20:38:53
Message-ID: 4E994E01-1187-4189-9BAF-D8D35D047F2E () deployingradius ! com
[Download RAW message or body]
On Feb 25, 2016, at 11:16 AM, Jonathan Gazeley <Jonathan.Gazeley@bristol.ac.uk> \
wrote:
> This didn't work as it seems the cache_tls module is called in packet 4, i.e. \
> before the server has started to process the inner tunnel (which is where \
> Inner-User-Name is assigned).
The cache_tls module is there so that it can cache / replay the TLS attributes. So \
that you can use the TLS-Cert-* attributes on the resumed session.
You can add a cache module which is specific to your needs. Put it into post-auth, \
so that it caches the Inner-User-Name.
> How can we place the Inner-User-Name into the TLS cache?
Update the "cache" module configuration to cache Inner-User-Name. Then, ensure \
that the cache is updated when the Inner-User-Name is available.
While there are a lot of moving pieces, a careful approach to system design helps. \
If the Inner-User-Name is only available in post-auth... well... put a cache module \
there to cache it.
> Arran's email [1] suggests that anything you wish to place in the TLS cache must be \
> stored in session-state before the TLS session is frozen. However what seems to be \
> happening is the TLS cache entry is created at the beginning of the TLS session and \
> then not updated.
That's not how the module && virtual server are supposed to work. They *were* \
tested before being put into git, so they should work.
> Please can you shed some light on this behaviour, and whether it is possible to add \
> an attribute to an existing cache entry in the inner post-auth section?
You can always cache a new attribute. Just add it to the configuration for the \
cache module.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic