What are TLS Session Tickets?

When and why you should use them

In many environments, the same group of users will authenticate to the wifi network multiple times a day. TLS session tickets help to streamline this process by doing a full authentication only once a day, rather than every single time users reconnect to the network.

Universities and colleges are a classic example of having multiple authentications from the same group of people throughout the day. Every hour, on the hour, tens of thousands of students close their laptops, move to their next class, and open their laptops again. This behavior causes the RADIUS server to see huge spikes of authentication requests.

Even enterprises have similar issues, but to a somewhat lesser degree. For example, most workers will authenticate at the beginning of the day with a wired connection, and then move around to meeting rooms throughout the day and need to reconnect to wifi. These bursts of traffic increase the load on the RADIUS server, and make the network more fragile.

TLS session tickets are a way to speed up the re-authentication process, and to make it more robust.

A session ticket is an encrypted blob of a session key and associated information which is sent by the server to the client at the end of a TLS handshake when a user is authenticated. If the user closes the laptop, walks to a different room and reconnects, they can reauthenticate by passing the session ticket back to the server. The server then verifies the session information and resumes the session.

By using a session ticket, the server does not need to redo the full authentication process “from scratch” by going back to the database to verify the user. Instead, the RADIUS server can just say “yes, this is the same authenticated user as last time”, and let them on the network.

For security, session tickets are only cached for a short period of time, which is usually no more than a day. Using session tickets therefore does not add any management load for administrators as they are managed automatically. When a user is removed from the system, their tickets automatically expire.

Benefits of using session tickets

Speeds up authentication

The most obvious benefit of using session tickets is that users are authenticated more quickly when they reconnect to the network. In educational environments where large groups of people need to reconnect to the network simultaneously at the start of each new class, the performance gains can be significant.

Additional redundancy

Using session tickets also provides an additional level of redundancy in the system. In the event that the user database is unreachable, most of the users will have already been authenticated. The RADIUS server will use the stored session tickets, and the database will not be used. Only a small percentage of users who have not yet connected to the network will be locked out. The vast majority of users can be reconnected via the session tickets, and they will not see any network outage.

Removes database from the critical path

Session tickets remove the user database from the authentication loop after most people first connect to the network. Skipping the database frees up the database from repetitive authentication duties, and can help provide a window of opportunity to perform system maintenance. Using session tickets can also allow the database to perform more resource intensive functions such as accounting queries, without impacting authentication speed.

How to design your system to use session tickets

Generally, it’s a good idea to have multiple RADIUS servers to provide redundancy in your system. For example,we would recommend 2-3 RADIUS servers to support a network servicing 30,000 users.

When using session tickets for re-authentication, it is important to design the infrastructure so that if one of the servers goes down, the remaining servers can still access all the session ticket information. For multiple RADIUS servers, the session tickets can be stored in a separate shared file server, a database specific to session tickets, or the tickets can be signed with a key shared by all RADIUS servers.

Note that the session ticket itself has a very short lifetime. The tickets expire automatically, and the session ticket database can in fact be deleted at any time! If the session tickets are unavailable for any reason, the RADIUS server can simply re-authenticate the users once again.

The bottom line

TLS-session tickets are a very useful mechanism to speed up performance in environments where repeated authentication requests are common. Faster reconnection results in happier users, which everyone wants. Furthermore, session tickets also provide an extra level of redundancy, and remove the user database from the critical path for authentication, freeing it up for other tasks.

Need more help?

Network RADIUS has been helping clients around the world design and deploy their RADIUS infrastructure for 20 years. We specialize in complex systems and have seen pretty much every variation and problem out there. If you want help from the people who wrote FreeRADIUS, visit our quote page to contact us for a consultation.

Read more...

related articles