On 23 Apr 2012(Q2, W17), at 12:09, Jeroen Scheerder wrote:
What I'd like to acomplish is:
- Cache authentication requests - Uncached or expired requests are passed on to the proxy - Cached authentication requests are handled (within the specified TTL)
I've set up caching, and I see some of it working.
With a little more work, I've narrowed my problem down to the caching_postauth function in rlm_caching.c. It reads: "" if ((auth_type = pairfind(request->config_items, PW_AUTH_TYPE)) != NULL){ DEBUG("rlm_caching: Found Auth-Type, value: '%s'",auth_type->vp_strvalue); if (strcmp(auth_type->vp_strvalue,"Reject") == 0 && data->cache_rejects == 0){ DEBUG("rlm_caching: No caching of Rejects. Returning NOOP"); return RLM_MODULE_NOOP; } if (strlen(auth_type->vp_strvalue) > MAX_AUTH_TYPE - 1){ DEBUG("rlm_caching: Auth-Type value too large"); return RLM_MODULE_NOOP; } } "" When ran, this results in: rlm_caching: Found Auth-Type, value: '' … when caching an already accepted authentication request. Subsequent requests are actually found in the cache and handled: rlm_caching: Searching the database for key 'on2it-js@rsa.on2it.net:480378:172.17.202.55' rlm_caching: Key Found. rlm_caching: VP='Class',VALUE='default_group',lenth='14',cache record length='39' rlm_caching: Adding Auth-Type '' rlm_caching: Cache Queries: 5, Cache Hits: 1, Hit Ratio: 20.00% ++[caching] returns ok However, the cached Auth-Type of '' poses a problem: Found Auth-Type = Local WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No "known good" password was configured for the user. As a result, we cannot authenticate the user. Failed to authenticate the user. Using Post-Auth-Type Reject I've modified rlm_caching.c thusly: if ((auth_type = pairfind(request->config_items, PW_AUTH_TYPE)) != NULL){ DEBUG("rlm_caching: Found Auth-Type, value: '%s'",auth_type->vp_strvalue); /* JS - set Auth-Type to 'Accept' if unset */ if (strcmp(auth_type->vp_strvalue,"") == 0){ DEBUG("rlm_caching: Auth-Type unset, assigning value: '%s'", "Accept"); strcpy(auth_type->vp_strvalue, "Accept"); } if (strcmp(auth_type->vp_strvalue,"Reject") == 0 && data->cache_rejects == 0){ DEBUG("rlm_caching: No caching of Rejects. Returning NOOP"); return RLM_MODULE_NOOP; } if (strlen(auth_type->vp_strvalue) > MAX_AUTH_TYPE - 1){ DEBUG("rlm_caching: Auth-Type value too large"); return RLM_MODULE_NOOP; } } This has the following effect: rlm_caching: Found Auth-Type, value: '' rlm_caching: Auth-Type unset, assigning value: 'Accept' […] rlm_caching: New value stored successfully. ++[caching] returns ok Sending Access-Accept of id 72 to 127.0.0.1 port 56586 User-Name = "testing" NAS-IP-Address = 172.17.202.55 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 63643, id=178, length=77 User-Name = "testing" User-Password = "password" NAS-IP-Address = 172.17.202.55 NAS-Port = 0 Message-Authenticator = 0x22ec5564c881d6ba20af882fa2369b31 # Executing section authorize from file /root/etc/raddb/sites-enabled/default […] [caching] expand: %{User-Name}:%{User-Password}:%{NAS-IP-Address} -> testing:password:172.17.202.55 rlm_caching: Searching the database for key 'testing:password:172.17.202.55' rlm_caching: Key Found. rlm_caching: VP='User-Name',VALUE='testing',lenth='7',cache record length='22' rlm_caching: VP='NAS-IP-Address',VALUE='172.17.202.55',lenth='4',cache record length='53' rlm_caching: Adding Auth-Type 'Accept' rlm_caching: Cache Queries: 2, Cache Hits: 2, Hit Ratio: 100.00% ++[caching] returns ok Found Auth-Type = Accept Auth-Type = Accept, accepting the user Note that actual rejects don't seem to make the caching_postauth function, for whatever reason. This seems to be working. No doubt somebody'll step in and tell me how utterly wrong this is. :-) Still, I'm content so far. But I have one more thing to take care of: I'd like to enable caching only for specific clients. How could I acomplish that? Regards, Jeroen. -- Jeroen Scheerder ON2IT B.V. Steenweg 17 B 4181 AJ WAARDENBURG T: +31 418-653818 | F: +31 418-653716 W: www.on2it.net | E: Jeroen.Scheerder@on2it.net Premier Business Partner - IBM | Reseller of the Year 2011 - Palo Alto Networks