Jonathan, I have had some success on our servers with the EAP caching available in the eap.conf file within the tls {} block. It does take some additional work to save/restore attributes from the cache, but it's been successful for me for _some_ subset of authentications in not having to go all the way to AD during the cache time. It's going to totally depend upon client behavior/capabilities. - JohnD On 11/25/2013 08:15 AM, Arran Cudbard-Bell wrote:
On 25 Nov 2013, at 12:26, Jonathan Gazeley <jonathan.gazeley@bristol.ac.uk> wrote:
Probably a simple question, but I've Googled it and I can't find the answer.
Is it possible to wrap an ntlm_auth backend in rlm_cache? Our active directory is frequently quite slow. If we were able to grab at least some of these authentications from the cache I think it would help a lot.
I don't know exactly what data is returned from NTLM, is it cacheable or does it have to be fresh each time? By the fact that I haven't found any mention of anyone doing this, I suspect it's probably not possible.
For PAP yes, for MSCHAPv2 no (challenge/response).
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html