We are trying to setup a freeradius 3.0.7 server that uses EAP-PEAP and EAP-TTLS, both with MSCHAPv2. This server reads a users Cleartext-Password from an ldap server. In order to minimize the calls to the ldap server we are trying to use rlm_cache to cache the NT-Password and LM-Password so that when a user logs in after the initial log in freeradius does not need to query the ldap server.
Surely that means that when the password is changed the RADIUS server doesn't notice immediately?
We are only caching the entry for a couple hours. So yes there could be instances of the cache in radius not being synchronized with ldap.
This works with EAP-TTLS, but it does not work with EAP-PEAP. The NT-Password and LM-Password do not seem to be available to the caching module with EAP-PEAP.
My guess: EAP-TTLS tunnels standard mschap internally, so hits the mschap module. Using PEAP, you're actually doing PEAP/EAP-MSCHAPv2 (an EAP type), so the eap module calls mschap behind the scenes, and the mschap call in your config isn't used. So by the time you call cache/ldap/mschap, mschap has already been called and done its stuff.
I'd first try moving eap, as per below, but I've not tested this.
Matthew
sites-enabled/inner-tunnel:
authorize { update control { Cache-Status-Only = 'yes' } cache if (notfound) { ldap } else { cache } eap { ok = return } mschap }
I have made this change, but the behavior is still the same.
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> -
________________________________ CONFIDENTIALITY NOTICE: This e-mail may contain information that is privileged, confidential or otherwise protected from disclosure. **If you are not the intended recipient of this e-mail, please notify the sender immediately by return e-mail, purge it and do not disseminate or copy it.