Alexander Clouter schrieb: > Bjørn Mork <bj...@mork.no> wrote: >> Andreas Hartmann <andihartm...@01019freenet.de> writes: >> >>> Yes, you're right - I meant option eap -> tls -> cache -> enable is >>> switched _on_ and fast_reauth is on too on the supplicant. My wrong :-(. >>> >>> You can see it at this log entry at the initial login: >>> Wed Jun 2 20:29:14 2010 : Info: [tls] Adding user data to cached session >>> Wed Jun 2 20:29:14 2010 : Info: [tls] Saving response in the cache >>> Wed Jun 2 20:29:14 2010 : Info: [tls] WARNING: No information to cache: >>> session caching will be disabled for this session. >>> >>> And then the reauth: >>> >>> Wed Jun 2 20:39:18 2010 : Info: [tls] Retrieved session data from >>> cached session >>> Wed Jun 2 20:39:18 2010 : Info: [tls] WARNING: No information in cached >>> session! >> >> FWIW I've seen exactly the same with FR 2.1.8. Ended up disabling >> caching. But I would like to know the cause of this "No information to >> cache" warning. The resulting failure to retrieve cached data is of >> course to be expected, but the warning itself doesn't make any sense to >> me. There must be information to cache since the authentication is >> sucessful. >> > The 'No information to cache' means you do not have anything useful > (for example 'User-Name') in the reply packet. > > In the post-auth of my inner-eap virtual server I have added: > ---- > post-auth { > ... > # needed for TTLS cache > update reply { > User-Name := "%{request:User-Name}" > } > ... > } > ----
Ok, I'm using exclusivly certificates for authorization. Therefore, I dont't have any inner-eap, if I got it right. I have one basic question: There are now two different caches: one in eap (based on ssl) and the extern cache, rlm_caching. If I want to use fast_reauth, is it necessary to enable both caches or must the ssl-cache in eap.conf be disabled to run fast_reauth successfully with rlm_caching? Meanwhile, I have a configuration, which does a User-Name-based rlm_caching at the end of the last fragment of the initial authentication with an originaly empty database. The entry is the following in /etc/raddb/modules/caching caching { filename = ${db_dir}/db.cache cache-ttl = 1d hit-ratio = 1000 key = "%{User-Name}" # post-auth = "%{User-Name}" cache-size = 200000 # cache-rejects = yes } I'm not sure, if User-Name is the best key for this purpose. In /etc/raddb/sites-enabled/defaults, caching has the following entries: authorize { caching { ok = return } .... } post-auth { .... caching if (updated) { update reply { User-Name := "%{User-Name}" } } } With this config, the key is written to the caching database at the end of the inital login. But the problem is: If the user reconnects or wants to connect initial again, the process is stopped (with success returned) at the moment, the client sends the User-Name. This is wrong. The process can't be interrupted before the key exchange has been done successfully. How can this be written in the config-file (authorize-section)? Kind regards, Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html