OpenNAC FreeRadius with Windows Fast Reconnect

The purpose of this document is explain the necessary changes to be applied to FreeRadius configuration files to use the Windows fast reconnect property.

The client and the server can cache TLS session keys and use these to reduce the delay in time between an authentication request by a client and the response by the Radius server.

1. FreeRadius configuration

• We have to enable the EAP-TLS cache, in the /etc/raddb/eap.conf file. The property enable is located inside eap/tls/cache sections, like is shown:

eap {
   ...
   tls {
          ...
          cache {
                 enable = yes
                 ...
          }
   }
}

The lifetime and max_entries properties, inside cache section, are configured with default values. We can adjust depending on our environtment.

• Enable use_tunneled_reply property, to send the reply attributes based on the user name inside of the tunnel:

eap {
   ...
   peap {
          ...
          use_tunneled_reply = yes
          ...
   }
}

Probably you need to enable this property, if you receive the following message:

Note

WARNING: No information to cache: session caching will be disabled for this session.

2. Windows configuration

• Once the radius certificate is configured, the endpoint should be set up. Select Enable Fast Reconnect property, in Protected EAP Properties window. A complete explanation of how to configure 802.1 supplicant include EAP properties can be found on following link: 802.1x Configuration.