On Tue, Feb 10, 2015 at 8:03 AM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: > On Sun, Jan 25, 2015 at 8:06 PM, Nikos Mavrogiannopoulos > <nmav at gnutls.org> wrote: >>> ocserv[4622]: main: 121.34.241.154:50274 sending message 'auth cookie >>> reply' to worker >>> ocserv[4688]: worker: 121.34.241.154:50274 received auth reply message >>> (value: 3) >>> ocserv[4688]: worker: 121.34.241.154:50274 error receiving cookie >>> authentication reply >>> ocserv[4688]: worker: 121.34.241.154:50274 failed cookie authentication attempt >>> Is auth cookie somehow affected by my client certificate `cn` and `unit`? >> No. I believe it is a side-effect of the new session control introduced >> due to radius. It seems that sessions in the security module are expired >> sooner than expected, and that's why you notice that issue. I've >> submitted a correction into git, but I'll need to review the whole >> process sometime later. > > I did review it and found it overly complex. I've now simplified the > session control, by having the security module check time and decide > the validity of a cookie. That should handle all existing use cases > (there are now tests for them), but if I missed anything let me know. Hmm, I just did a quick network roaming test with the head of tree, and on reconnect (wifi->3G) ocserv assigned a different tunnel IPv4 address. I did not see this with the earlier rev. This is for a user who doesn't have explicit-ipv4 set (obviously). I'll email you a debug log if you can't reproduce it.
