On Mar 13, 2015, at 10:52 PM, Gardner, Mark <mark.gardner@kc.frb.org> wrote:
SO I¹ve installed a newer version of freeradius with the rlm_cache module. I¹ve configured it like the Feb2013 email above. However a curious problem. If I use radtest and submit two bad passwords one after another. The first fails with a Reject; the second passes with Accept.
So… there’s debug output you can read, right?
So I mucked around with it some more and I think I have it figured out. Here is my default site. cat sites-enabled/default | egrep -v "(#.*|^$)" authorize { preprocess eap { ok = return } ldap cache if (ok) { update control { Auth-Type := Accept Cache-Status-Only !* ANY Cache-TTL = 0 } ok } else { update control { Cache-Status-Only !* ANY } } expiration logintime pap } authenticate { Auth-Type PAP { ldap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } eap } preacct { preprocess acct_unique suffix files } accounting { detail exec attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject update control { Cache-TTL = 0 } cache update control { Cache-TTL !* ANY } } cache } pre-proxy { } post-proxy { eap } This is just for pam_radius_auth for other linux boxes. The only situation I have is that I may want to resolve is. If the second request (within the TTL of 10 seconds) has a different/bad password, it will still ACCPET and not REJECT. Mostly because I don’t see it cacheing the password.