On 2/25/15, 4:08 PM, "Arran Cudbard-Bell" <a.cudbardb@freeradius.org> wrote:
The ThinLinc documentation (https://www.cendio.com/resources/docs/tag/otp_authentication.html) states in its requirements.
" An OTP server which accepts the OTP twice. This is due to the ThinLinc architecture: The client first contacts the master machine, and then the agent host. The NordicEdge One Time Password Server has built-in support for ThinLinc. When using RSA SecurID, we recommend using the Steel-Belted Radius server as a "Token Caching Server". "
I don't want to setup Steel-Belted Radius, or RADIATOR. I'd rather use freeradius. I found something in the archives that I belive is exactly what I need. I'm just not sure how to go about setting it up. http://lists.freeradius.org/pipermail/freeradius-users/2013-February/0652 00.html
It may be my version of freeradius is too old to use this particular type of caching. I'm using freeradius-server 2.1.1-7.18.1 SLES11-SP3
Hopefully This clears things up a little.
Assuming you have an architecture like:
thinLinc1 -|- FreeRADIUS - LDAP<sasl><yubikey plugin> thinLinc2 -|
Yes you can use rlm_cache to allow the same password to be used within a given window without sending it to LDAP. Your version of FreeRADIUS does not support caching. It is very old. You can upgrade to 2.2.6 which should be config compatible, and does support caching.
You'll have to be careful when defining your policy to only allow duplicate auths from servers within the same cluster, else you'll break the replay protection.
SO I¹ve installed a newer version of freeradius with the rlm_cache module. I¹ve configured it like the Feb2013 email above. However a curious problem. If I use radtest and submit two bad passwords one after another. The first fails with a Reject; the second passes with Accept.