Cache user access on eap-ttls with ldap as authenticate system

[André]

Hello Alan,

I was thinking about a hack...
>From the established/Accepted connection from the person I would store the
password encrypted sha512 or a better mechanism to encrypt.
with a TTL in a database MariaDB or the like.
If the system hits the cache,
        update control {
                Cache-Status-Only = 'yes'
        }
        cache
        if (User-Password && !notfound) {
            ldap
            if (!ok) {
                update control {
                        Auth-Type := perl # Perl / Python script controls
if the server is available or not,
# If not uses the cache to do auth with the user password against the local
hashed pass + username
# Can do additional controls like OTP
                }
            }
        }
        if (User-Password && notfound) {
            update control {
                Auth-Type := ldap
            }
        }
        cache

In authorize {
I have
Auth-Type perl {
     if (!notfound) {
        perl
    }

Any comments?


}

On Thu, Jan 14, 2021 at 5:36 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Jan 14, 2021, at 12:00 PM, André <netriver at gmail.com> wrote:
> >
> > This only caches ldap attributes, it's not able to store results
> > Access-Accept for example from a existing ldap confirmed authentication?
>
>   No.
>
> > Would it be possible to store the result "Access-Accept" for a user +
> > password combination for future approval?
>
>   No.
>
>   That's not how EAP works.  You *cannot* just cache EAP packets and
> expect it to work.
>
>   Your options are:
>
> a) cache the Cleartext-Password (or whatever) returned from LDAP
>
> b) set up session resumption caching.  See the "cache" subsection of
> mods-available/eap
>
> c) both of the above
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html