Cache One Time Password OTP
mark.gardner at kc.frb.org
Sat Mar 14 03:52:12 CET 2015
On 2/25/15, 4:08 PM, "Arran Cudbard-Bell" <a.cudbardb at freeradius.org>
>> The ThinLinc documentation
>>states in its requirements.
>> An OTP server which accepts the OTP twice. This is due to the ThinLinc
>>architecture: The client first contacts the master machine, and then the
>>agent host. The NordicEdge One Time Password Server has built-in support
>>for ThinLinc. When using RSA SecurID, we recommend using the
>>Steel-Belted Radius server as a "Token Caching Server".
>> I don't want to setup Steel-Belted Radius, or RADIATOR. I'd rather use
>>freeradius. I found something in the archives that I belive is exactly
>>what I need. I'm just not sure how to go about setting it up.
>> It may be my version of freeradius is too old to use this particular
>>type of caching. I'm using freeradius-server 2.1.1-7.18.1 SLES11-SP3
>> Hopefully This clears things up a little.
>Assuming you have an architecture like:
>thinLinc1 -|- FreeRADIUS - LDAP<sasl><yubikey plugin>
>Yes you can use rlm_cache to allow the same password to be used within a
>given window without sending it to LDAP. Your version of FreeRADIUS does
>not support caching. It is very old. You can upgrade to 2.2.6 which
>should be config compatible, and does support caching.
>You'll have to be careful when defining your policy to only allow
>duplicate auths from servers within the same cluster, else you'll break
>the replay protection.
SO I¹ve installed a newer version of freeradius with the rlm_cache module.
I¹ve configured it like the Feb2013 email above. However a curious
problem. If I use radtest and submit two bad passwords one after
another. The first fails with a Reject; the second passes with Accept.
More information about the Freeradius-Users