Hi, We have a SSL-VPN client that authenticates in two stages. When using authentication with RSA OTP tokens, the second request is considered to be a replay by the RSA server, and denied for that reason. The authentication itself is handled by proxy through a Freeradius server (2.1.12 with experimental modules). What I'd like to acomplish is: - Cache authentication requests - Uncached or expired requests are passed on to the proxy - Cached authentication requests are handled (within the specified TTL) I've set up caching, and I see some of it working. From the debug output, I see this for the first request: ---- Snip ---- +- entering group authorize {...} [preprocess] expand: %{User-Name} -> js [preprocess] hints: Matched DEFAULT at 80 [preprocess] expand: on2it-%{User-Name}@rsa.on2it.net -> on2it-js@rsa.on2it.net ++[preprocess] returns ok [caching] expand: %{User-Name}:%{User-Password}:%{NAS-IP-Address} -> on2it-js@rsa.on2it.net:480378:172.17.202.55 rlm_caching: Searching the database for key 'on2it-js@rsa.on2it.net:480378:172.17.202.55' rlm_caching: Could not find the requested key in the database. rlm_caching: Cache Queries: 4, Cache Hits: 0, Hit Ratio: 0.00% […] [then we see the proxy request being handled, successfully] […] +- entering group post-auth {...} ++[exec] returns noop rlm_caching: Found Auth-Type, value: '' [caching] expand: %{User-Name}:%{User-Password}:%{NAS-IP-Address} -> on2it-js@rsa.on2it.net:480378:172.17.202.55 rlm_caching: VP=Class,VALUE=default_group,length=38,cache record length=39, space left=711 rlm_caching: Storing cache for Key='on2it-js@rsa.on2it.net:480378:172.17.202.55' rlm_caching: New value stored successfully. ++[caching] returns ok Sending Access-Accept of id 69 to 127.0.0.1 port 18782 Class = 0x64656661756c745f67726f757000 ---- pinS ---- This all seems more or less plausible, except for "Found Auth-Type, value: ''" For the second request (fired within a few seconds), I see: ---- Snip ---- Executing section authorize from file /root/etc/raddb/sites-enabled/default +- entering group authorize {...} [preprocess] expand: %{User-Name} -> js [preprocess] hints: Matched DEFAULT at 80 [preprocess] expand: on2it-%{User-Name}@rsa.on2it.net -> on2it-js@rsa.on2it.net ++[preprocess] returns ok [caching] expand: %{User-Name}:%{User-Password}:%{NAS-IP-Address} -> on2it-js@rsa.on2it.net:480378:172.17.202.55 rlm_caching: Searching the database for key 'on2it-js@rsa.on2it.net:480378:172.17.202.55' rlm_caching: Key Found. rlm_caching: VP='Class',VALUE='default_group',lenth='14',cache record length='39' rlm_caching: Adding Auth-Type '' rlm_caching: Cache Queries: 5, Cache Hits: 1, Hit Ratio: 20.00% ++[caching] returns ok Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No "known good" password was configured for the user. As a result, we cannot authenticate the user. Failed to authenticate the user. Using Post-Auth-Type Reject ---- pinS ---- So I'm getting a Reject for a cached Accept, in effect, and that seems to be due to the Auth-Type. This happens equally for non-proxied requests, i.e. with the following entry in "users": testing Cleartext-Password := "password" User-Name = "%{User-Name}", NAS-IP-Address = "%{NAS-IP-Address}" What am I missing, and what can I do to get cached authentication requests handled? TIA, JS. -- Jeroen Scheerder ON2IT B.V. Steenweg 17 B 4181 AJ WAARDENBURG T: +31 418-653818 | F: +31 418-653716 W: www.on2it.net | E: Jeroen.Scheerder@on2it.net Premier Business Partner - IBM | Reseller of the Year 2011 - Palo Alto Networks