Re: Cache errors(?) - single device

classic Classic list List threaded Threaded
6 messages Options
| Threaded
Open this post in threaded view
|

Re: Cache errors(?) - single device

Alan DeKok-2


> On Sep 9, 2019, at 2:07 AM, Marcin Marszałkowski <[hidden email]> wrote:
>
> Hi,
>
> I have freeradius 3.0.20 with tls cache enabled (fast reauthentication) running in docker container , sql backend.
> Everything has been working fine until recently new device (laptop) was added to network.
> Laptop connects properly to specified network but when roaming it gets answer Access-Accept without any AVP, thus it is assigned to native, trunk network.
> Since it applies only to one device (MacBook Pro) and debug doesn’t throw any errors

  It *does* show you what the server is doing, and *why* it added attributes to Access-Accept.

> I don’t know where to start troubleshooting. I’d removed content of tlscache folder, toggled off/on cache and it didn’t help.
> Any suggestion?

  Read the debug output.  If it's too confusing, post it here.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Cache errors(?) - single device

Alan DeKok-2
On Sep 11, 2019, at 5:28 AM, Marcin Marszałkowski <[hidden email]> wrote:

>
> So, I've run a couple of tests (roaming between clients) with cache disabled and enabled.
> ...
> Cache enabled debug:
>
> (18) eap: Expiring EAP session with state 0x9049ed0d92dcf470
> (18) eap: Finished EAP session with state 0x9049ed0d92dcf470
> (18) eap: Previous EAP request found for state 0x9049ed0d92dcf470, released from the list
> (18) eap: Peer sent packet with method EAP PEAP (25)
> (18) eap: Calling submodule eap_peap to process data
> (18) eap_peap: Continuing EAP-TLS
> (18) eap_peap: [eaptls verify] = ok
> (18) eap_peap: Done initial handshake
> (18) eap_peap: [eaptls process] = ok
> (18) eap_peap: Session established.  Decoding tunneled attributes
> (18) eap_peap: PEAP state send tlv success
> (18) eap_peap: Received EAP-TLV response
> (18) eap_peap: Success
> (18) eap_peap: No saved attributes in the original Access-Accept
> (18) eap_peap:   &request:EAP-Session-Resumed := 1
> (18) eap: Sending EAP Success (code 3) ID 149 length 4
> (18) eap: Freeing handler
> (18)     [eap] = ok
> (18)   } # authenticate = ok

  There are a LOT more messages than that.  Including messages which talk about restoring cached attributes.

  Honestly, *read* the debug output.  ALL OF IT.  If there's nothing about the cache, then you didn't configure the cache properly.

  I fail to understand why you're only looking at the final access accept.   The REST of the debug output shows more information about previous actions, like caching...

> Without cache, all AVP are retrieved from sql; with cache that step is skipped and cache doesn’t save AVP.

  Yes, if you *read* the debug outputs you'll see why.  There's no "inner-tunnel" being run for the cached session.

> If it’s required, I can post full debug or attached it as file ;-)
> Any ideas what might be going wrong with saving AVP in cache?

  TBH, first upgrade to the v3.0.x branch on GitHub.  I'm pretty sure I already suggest this.  That makes caching easier to configure.  See the "cache" section of mods-available/eap in the v3.0.x source.

  Then, READ the debug output.  ALL OF IT.  Do simple things like LOOK FOR THE WORD "cache" or "caching".

  The more you ignore the debug output, the harder it will be for you to understand the problem and fix it.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: [EXT] Re: Cache errors(?) - single device

Brian Julin

Take a look at http://lists.freeradius.org/pipermail/freeradius-users/2016-January/081595.html and see if that helps.

If you want to allow the attributes to change between the original authentication and
a reauth you'll have to modify that quite a bit and do some SQL in the outer tunnel server
based on inner tunnel attributes.




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Cache errors(?) - single device

Alan DeKok-2
In reply to this post by Alan DeKok-2
On Sep 11, 2019, at 9:35 AM, Marcin Marszałkowski <[hidden email]> wrote:
> I don’t ignore the debug output - as above.

  Then the question of "why are the replies different?" is answered in the debug output.  Which means I'm surprised that the question was asked.

> Debug when cache was enabled. If I had misconfigured something, please let me know it.

  Which shows it restoring attributes from the cache:

> (16) eap_peap: Successfully restored session b262a59370281c744fe0461ed6ec84ac5cad9f13e1659976768255c81953cfe5
> (16) eap_peap:   reply:User-Name = "Mark"

  And... that's it.

  Did you edit the "store" subsection to list attributes for it to cache?  As documented ... ?

  if you did that, then those attributes are cached, and then restored when the session is resumed.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Cache errors(?) - single device

Alan DeKok-2


> On Sep 11, 2019, at 2:26 PM, Marcin Marszałkowski <[hidden email]> wrote:
>
>> Alan DeKok <[hidden email]> w dniu 11.09.2019, o godz. 18:24:
>> Then the question of "why are the replies different?" is answered in the debug output.  Which means I'm surprised that the question was asked.
>
> „Why…” I meant to find the underlying root cause of this particular problem. I’m not developer - just  a user and debug info is not as clear to me as is to you.

  The messages are pretty clear.  They show you which attributes are stored in the session cache, and which ones are retrieved from the session cache.

>> Did you edit the "store" subsection to list attributes for it to cache?  As documented ... ?
>
> I’ve read on wiki rlm_eap description and there’s nothing about caching. The only thing I adhered to was description in eap config file
> Unfortunately, I couldn’t find anything about „store” subsection.

  Then you're not looking at the mods-available/eap file from the v3.0.x branch.

  The point of using a new version is *not* just to use the binary.  But *also* to look at the updated documentation and configuration examples.

  So you've wasted days of time and many message just to realize that you're *not* looking at the updated examples as I suggested.

  Please follow instructions.  It shouldn't be difficult.  Every step you skip results in lost time and more frustration for everyone.

> Did you mean similar problem asked about in http://freeradius.1045715.n5.nabble.com/Example-of-how-to-use-caching-Cached-Session-Policy-td4329307.html ?

  No.  I meant to look at the "store" subsection.  Which is why I said it.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Cache errors(?) - single device

Alan DeKok-2
On Sep 11, 2019, at 3:13 PM, Marcin Marszałkowski <[hidden email]> wrote:
>
> It looks like, that was the source of my problem. Now I need to compare/check all conf files...

 That's really the only change necessary here.  Again, if there was more to do, I would have said it.

 The install process does *not* over-write your existing configuration files.  For very many reasons.

 Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html