Hello, well, I thought about the problem with reauth: Why must there be passwords in the session? EAP/TLS doesn't need any passwords to be exchanged. The passphrase stays local.
That's why it shouldn't be necessary to have these Keys in the Session or in the response (the client didn't send any password, too). At the moment of adding the Password to the session, the handshake has been done already. from src/modules/rlm_eap/libeap/eap_tls.c (original): ------------------------------------------------------------------------------------------------------------------------- } else if (!SSL_session_reused(tls_session->ssl)) { RDEBUG2("Saving response in the cache"); vp = paircopy2(request->reply->vps, PW_USER_NAME); pairadd(&vps, vp); vp = paircopy2(request->packet->vps, PW_STRIPPED_USER_NAME); pairadd(&vps, vp); if (vps) { SSL_SESSION_set_ex_data(tls_session->ssl->session, eaptls_session_idx, vps); } else { RDEBUG2("WARNING: No information to cache: session caching will be disabled for this session."); SSL_CTX_remove_session(tls_session->ctx, tls_session->ssl->session); } /* * Else the session WAS allowed. Copy the cached * reply. */ } else { vp = SSL_SESSION_get_ex_data(tls_session->ssl->session, eaptls_session_idx); if (!vp) { RDEBUG("WARNING: No information in cached session!"); return eaptls_fail(handler, peap_flag); } else { RDEBUG("Adding cached attributes to the reply:"); debug_pair_list(vp); pairadd(&request->reply->vps, paircopy(vp)); /* * Mark the request as resumed. */ vp = pairmake("EAP-Session-Resumed", "1", T_OP_SET); if (vp) pairadd(&request->packet->vps, vp); } } ----------------------------------------------------------------------------------------------------------------------------------- Therefore, I did the following change (-> for testing only!!!! This should be used only with EAP/tls for testing - no warranty!): ----------------------------------------------------------------------------------------------------------------------------------- } else if (!SSL_session_reused(tls_session->ssl)) { RDEBUG2("Saving response in the cache"); vp = paircopy2(request->reply->vps, PW_USER_NAME); pairadd(&vps, vp); vp = paircopy2(request->packet->vps, PW_STRIPPED_USER_NAME); pairadd(&vps, vp); if (vps) { SSL_SESSION_set_ex_data(tls_session->ssl->session, eaptls_session_idx, vps); } else { RDEBUG2("WARNING: No information to cache: session caching will be disabled for this session."); SSL_CTX_remove_session(tls_session->ctx, tls_session->ssl->session); } /* * Else the session WAS allowed. Copy the cached * reply. */ } else { vp = SSL_SESSION_get_ex_data(tls_session->ssl->session, eaptls_session_idx); if (!vp) { // here should be a check for the authentication type EAP/tls, // because I'm not sure, if this code is used exclusively for eap/tls RDEBUG("WARNING: No information in cached session!"); vp = pairmake("EAP-Session-Resumed", "1", T_OP_SET); if (vp) { pairadd(&request->packet->vps, vp); RDEBUG("WARNING: Missing session-data ignored!"); } else { RDEBUG("WARNING: Couldn't set EAP-Session-Resumed data!"); return eaptls_fail(handler, peap_flag); } } else { RDEBUG("Adding cached attributes to the reply:"); debug_pair_list(vp); pairadd(&request->reply->vps, paircopy(vp)); /* * Mark the request as resumed. */ vp = pairmake("EAP-Session-Resumed", "1", T_OP_SET); if (vp) pairadd(&request->packet->vps, vp); } } ----------------------------------------------------------------------------------------------------------------------------------- That's what is sent to the client after this process: Sending Access-Accept of id 52 to 192.168.1.9 port 2048 MS-MPPE-Recv-Key = 0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx MS-MPPE-Send-Key = 0xyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy EAP-Message = 0x03020004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "myu...@mydom.it" Kind regards, Andreas Hartmann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html