Alan DeKok schrieb: > Andreas Hartmann wrote: >> I have one basic question: >> There are now two different caches: one in eap (based on ssl) and the >> extern cache, rlm_caching. > > rlm_caching has nothing to do with EAP. > >> If I want to use fast_reauth, is it necessary to enable both caches or >> must the ssl-cache in eap.conf be disabled to run fast_reauth >> successfully with rlm_caching? > > The EAP configuration explains what you need to do for fast re-auth. > >> Meanwhile, I have a configuration, which does a User-Name-based >> rlm_caching at the end of the last fragment of the initial >> authentication with an originaly empty database. > > What is it supposed to do? > >> But the problem is: >> >> If the user reconnects or wants to connect initial again, the process is >> stopped (with success returned) at the moment, the client sends the >> User-Name. >> This is wrong. The process can't be interrupted before the key exchange >> has been done successfully. >> How can this be written in the config-file (authorize-section)? > > What do you want to do? > > I have no idea why you configured the caching module, and you haven't > explained why you configured it.
Thanks for your reply, I configured it, because fast-reauth doesn't work for me. - In the wpa_supplicant, fast_reauth is switched to 1. - In eap.conf, the cache under tls is enabled. Now, wpa_supplicant is started and the client got authenticated. But there is a warning nearly at the end of the successfull authentication: Fri Jun 4 09:42:11 2010 : Info: [tls] eaptls_verify returned 3 Fri Jun 4 09:42:11 2010 : Info: [tls] eaptls_process returned 3 Fri Jun 4 09:42:11 2010 : Info: [tls] Adding user data to cached session Fri Jun 4 09:42:11 2010 : Info: [tls] Saving response in the cache Fri Jun 4 09:42:11 2010 : Info: [tls] WARNING: No information to ^^^^^^^^^^^^^^^^^^^^^^^^^^ cache: session caching will be disabled for this session. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Fri Jun 4 09:42:11 2010 : Info: [eap] Freeing handler Fri Jun 4 09:42:11 2010 : Info: ++[eap] returns ok Fri Jun 4 09:42:11 2010 : Auth: Login OK: [myu...@mydom] (from client WAP610N port 0 cli 00-13-.....) Fri Jun 4 09:42:11 2010 : Info: +- entering group post-auth {...} Fri Jun 4 09:42:11 2010 : Info: ++[exec] returns noop Sending Access-Accept of id 238 to 192.168.... port 2048 .... Some time later, the fast_reauth follows, which breaks, because of missing datas in the cache. My question is: How must the client or the server be configured, that there are cached datas in order to get a working fast_reauth? rad_recv: Access-Request packet from host 192.168.1.9 port 2048, id=240, length=177 User-Name = "myu...@mydom" NAS-Port = 0 Called-Station-Id = "00-25-...:mywlan" Calling-Station-Id = "00-13-...." Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02000017016e6f7465626f6f6b31406d6179612e6f7267 Message-Authenticator = 0xc7d7831bf74eb29cc2862fbf9c1164f8 Fri Jun 4 10:05:37 2010 : Info: +- entering group authorize {...} Fri Jun 4 10:05:37 2010 : Info: ++[preprocess] returns ok Fri Jun 4 10:05:37 2010 : Info: [suffix] Looking up realm "mydom" for User-Name = "myu...@mydom" Fri Jun 4 10:05:37 2010 : Info: [suffix] No such realm "mydom" Fri Jun 4 10:05:37 2010 : Info: ++[suffix] returns noop Fri Jun 4 10:05:37 2010 : Info: [eap] EAP packet type response id 0 length 23 Fri Jun 4 10:05:37 2010 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Fri Jun 4 10:05:37 2010 : Info: ++[eap] returns updated Fri Jun 4 10:05:37 2010 : Info: ++[unix] returns notfound Fri Jun 4 10:05:37 2010 : Info: [files] users: Matched entry myu...@mydom at line 203 Fri Jun 4 10:05:37 2010 : Info: ++[files] returns ok Fri Jun 4 10:05:37 2010 : Info: ++[expiration] returns noop Fri Jun 4 10:05:37 2010 : Info: ++[logintime] returns noop Fri Jun 4 10:05:37 2010 : Info: Found Auth-Type = EAP Fri Jun 4 10:05:37 2010 : Info: +- entering group authenticate {...} Fri Jun 4 10:05:37 2010 : Info: [eap] EAP Identity Fri Jun 4 10:05:37 2010 : Info: [eap] processing type tls Fri Jun 4 10:05:37 2010 : Info: [tls] Requiring client certificate Fri Jun 4 10:05:37 2010 : Info: [tls] Initiate Fri Jun 4 10:05:37 2010 : Info: [tls] Start returned 1 Fri Jun 4 10:05:37 2010 : Info: ++[eap] returns handled Sending Access-Challenge of id 240 to 192.168.... port 2048 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbc40ebedbc41e6950bd358ee7ea3ba57 Fri Jun 4 10:05:37 2010 : Info: Finished request 9. Fri Jun 4 10:05:37 2010 : Debug: Going to the next request Fri Jun 4 10:05:37 2010 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168..... port 2048, id=241, length=1516 User-Name = "myu...@mydom" NAS-Port = 0 Called-Station-Id = "00-25-....:mywlan" Calling-Station-Id = "00-13-...." Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020105360d00160301052b.... EAP-Message = 0xc19621437c240ee8........ EAP-Message = d1b03b4d9ba1a79b324d237c3b8c8ef1806597ec8 ... EAP-Message = 0x77f505a88ea15af0e517.... EAP-Message = 0x39e23c539c6250cf89bc10dbbfb48c3bb5f2fecf... EAP-Message = 0xae584e899f3de05f54edcc..... State = 0xbc40ebedbc41e6950bd358ee7ea3ba57 Message-Authenticator = 0x99433479c1d2750ac02738bcb5e629a9 Fri Jun 4 10:05:37 2010 : Info: +- entering group authorize {...} Fri Jun 4 10:05:37 2010 : Info: ++[preprocess] returns ok Fri Jun 4 10:05:37 2010 : Info: [suffix] Looking up realm "mydom" for User-Name = "myu...@mydom" Fri Jun 4 10:05:37 2010 : Info: [suffix] No such realm "mydom" Fri Jun 4 10:05:37 2010 : Info: ++[suffix] returns noop Fri Jun 4 10:05:37 2010 : Info: [eap] EAP packet type response id 1 length 253 Fri Jun 4 10:05:37 2010 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Fri Jun 4 10:05:37 2010 : Info: ++[eap] returns updated Fri Jun 4 10:05:37 2010 : Info: ++[unix] returns notfound Fri Jun 4 10:05:37 2010 : Info: [files] users: Matched entry myu...@mydom at line 203 Fri Jun 4 10:05:37 2010 : Info: ++[files] returns ok Fri Jun 4 10:05:37 2010 : Info: ++[expiration] returns noop Fri Jun 4 10:05:37 2010 : Info: ++[logintime] returns noop Fri Jun 4 10:05:37 2010 : Info: Found Auth-Type = EAP Fri Jun 4 10:05:37 2010 : Info: +- entering group authenticate {...} Fri Jun 4 10:05:37 2010 : Info: [eap] Request found, released from the list Fri Jun 4 10:05:37 2010 : Info: [eap] EAP/tls Fri Jun 4 10:05:37 2010 : Info: [eap] processing type tls Fri Jun 4 10:05:37 2010 : Info: [tls] Authenticate Fri Jun 4 10:05:37 2010 : Info: [tls] processing EAP-TLS Fri Jun 4 10:05:37 2010 : Info: [tls] eaptls_verify returned 7 Fri Jun 4 10:05:37 2010 : Info: [tls] Done initial handshake Fri Jun 4 10:05:37 2010 : Info: [tls] (other): before/accept initialization Fri Jun 4 10:05:37 2010 : Info: [tls] TLS_accept: before/accept initialization Fri Jun 4 10:05:37 2010 : Info: [tls] <<< TLS 1.0 Handshake [length 052b], ClientHello Fri Jun 4 10:05:37 2010 : Info: [tls] TLS_accept: SSLv3 read client hello A Fri Jun 4 10:05:37 2010 : Info: [tls] >>> TLS 1.0 Handshake [length 0051], ServerHello Fri Jun 4 10:05:37 2010 : Info: [tls] TLS_accept: SSLv3 write server hello A Fri Jun 4 10:05:37 2010 : Info: [tls] >>> TLS 1.0 ChangeCipherSpec [length 0001] Fri Jun 4 10:05:37 2010 : Info: [tls] TLS_accept: SSLv3 write change cipher spec A Fri Jun 4 10:05:37 2010 : Info: [tls] >>> TLS 1.0 Handshake [length 0010], Finished Fri Jun 4 10:05:37 2010 : Info: [tls] TLS_accept: SSLv3 write finished A Fri Jun 4 10:05:37 2010 : Info: [tls] TLS_accept: SSLv3 flush data Fri Jun 4 10:05:37 2010 : Info: [tls] TLS_accept: Need to read more data: SSLv3 read finished A Fri Jun 4 10:05:37 2010 : Debug: In SSL Handshake Phase Fri Jun 4 10:05:37 2010 : Debug: In SSL Accept mode Fri Jun 4 10:05:37 2010 : Info: [tls] eaptls_process returned 13 Fri Jun 4 10:05:37 2010 : Info: ++[eap] returns handled Sending Access-Challenge of id 241 to 192.168.... port 2048 EAP-Message = 0x0102009b0d8000000091160301005...... Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbc40ebedbd42e6950bd358ee7ea3ba57 Fri Jun 4 10:05:37 2010 : Info: Finished request 10. Fri Jun 4 10:05:37 2010 : Debug: Going to the next request Fri Jun 4 10:05:37 2010 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.9 port 2048, id=242, length=237 User-Name = "myu...@mydom" NAS-Port = 0 Called-Station-Id = "00-25-....:mywlan" Calling-Station-Id = "00-13-...." Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200410d001403010001011603010.... State = 0xbc40ebedbd42e6950bd358ee7ea3ba57 Message-Authenticator = 0x21f2e35898da2e8b85b5d916baab5237 Fri Jun 4 10:05:37 2010 : Info: +- entering group authorize {...} Fri Jun 4 10:05:37 2010 : Info: ++[preprocess] returns ok Fri Jun 4 10:05:37 2010 : Info: [suffix] Looking up realm "mydom" for User-Name = "myu...@mydom" Fri Jun 4 10:05:37 2010 : Info: [suffix] No such realm "mydom" Fri Jun 4 10:05:37 2010 : Info: ++[suffix] returns noop Fri Jun 4 10:05:37 2010 : Info: [eap] EAP packet type response id 2 length 65 Fri Jun 4 10:05:37 2010 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Fri Jun 4 10:05:37 2010 : Info: ++[eap] returns updated Fri Jun 4 10:05:37 2010 : Info: ++[unix] returns notfound Fri Jun 4 10:05:37 2010 : Info: [files] users: Matched entry myu...@mydom at line 203 Fri Jun 4 10:05:37 2010 : Info: ++[files] returns ok Fri Jun 4 10:05:37 2010 : Info: ++[expiration] returns noop Fri Jun 4 10:05:37 2010 : Info: ++[logintime] returns noop Fri Jun 4 10:05:37 2010 : Info: Found Auth-Type = EAP Fri Jun 4 10:05:37 2010 : Info: +- entering group authenticate {...} Fri Jun 4 10:05:37 2010 : Info: [eap] Request found, released from the list Fri Jun 4 10:05:37 2010 : Info: [eap] EAP/tls Fri Jun 4 10:05:37 2010 : Info: [eap] processing type tls Fri Jun 4 10:05:37 2010 : Info: [tls] Authenticate Fri Jun 4 10:05:37 2010 : Info: [tls] processing EAP-TLS Fri Jun 4 10:05:37 2010 : Info: [tls] eaptls_verify returned 7 Fri Jun 4 10:05:37 2010 : Info: [tls] Done initial handshake Fri Jun 4 10:05:37 2010 : Info: [tls] <<< TLS 1.0 ChangeCipherSpec [length 0001] Fri Jun 4 10:05:37 2010 : Info: [tls] <<< TLS 1.0 Handshake [length 0010], Finished Fri Jun 4 10:05:37 2010 : Info: [tls] TLS_accept: SSLv3 read finished A Fri Jun 4 10:05:37 2010 : Info: [tls] (other): SSL negotiation finished successfully Fri Jun 4 10:05:37 2010 : Debug: SSL Connection Established Fri Jun 4 10:05:37 2010 : Debug: SSL Application Data Fri Jun 4 10:05:37 2010 : Info: [tls] eaptls_process returned 3 Fri Jun 4 10:05:37 2010 : Info: [tls] Retrieved session data from cached session Fri Jun 4 10:05:37 2010 : Info: [tls] WARNING: No information in ^^^^^^^^^^^^^^^^^^^^^^^^^^ cached session! ^^^^^^^^^^^^^^^ Fri Jun 4 10:05:37 2010 : Info: [eap] Freeing handler Fri Jun 4 10:05:37 2010 : Info: ++[eap] returns reject Fri Jun 4 10:05:37 2010 : Info: Failed to authenticate the user. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Fri Jun 4 10:05:37 2010 : Auth: Login incorrect: [myu...@mydom] (from client WAP610N port 0 cli 00-13-....) Fri Jun 4 10:05:37 2010 : Info: Using Post-Auth-Type Reject Fri Jun 4 10:05:37 2010 : Info: +- entering group REJECT {...} Fri Jun 4 10:05:37 2010 : Info: [attr_filter.access_reject] expand: %{User-Name} -> myu...@mydom Fri Jun 4 10:05:37 2010 : Debug: attr_filter: Matched entry DEFAULT at line 11 Fri Jun 4 10:05:37 2010 : Info: ++[attr_filter.access_reject] returns updated Fri Jun 4 10:05:37 2010 : Info: Delaying reject of request 11 for 1 seconds Fri Jun 4 10:05:37 2010 : Debug: Going to the next request Fri Jun 4 10:05:37 2010 : Debug: Waking up in 0.9 seconds. Fri Jun 4 10:05:38 2010 : Info: Sending delayed reject for request 11 Sending Access-Reject of id 242 to 192.168.... port 2048 EAP-Message = 0x04020004 Message-Authenticator = 0x00000000000000000000000000000000 Fri Jun 4 10:05:38 2010 : Debug: Waking up in 3.9 seconds. Fri Jun 4 10:05:42 2010 : Info: Cleaning up request 9 ID 240 with timestamp +1415 Fri Jun 4 10:05:42 2010 : Info: Cleaning up request 10 ID 241 with timestamp +1415 Fri Jun 4 10:05:42 2010 : Debug: Waking up in 1.0 seconds. Fri Jun 4 10:05:43 2010 : Info: Cleaning up request 11 ID 242 with timestamp +1415 Fri Jun 4 10:05:43 2010 : Info: Ready to process requests. Thank you very much for your help, kind regards, Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html