On Fri, Feb 27, 2015 at 04:04:04PM +0000, Sherker, Donald wrote:
We are trying to setup a freeradius 3.0.7 server that uses EAP-PEAP and EAP-TTLS, both with MSCHAPv2. This server reads a users Cleartext-Password from an ldap server. In order to minimize the calls to the ldap server we are trying to use rlm_cache to cache the NT-Password and LM-Password so that when a user logs in after the initial log in freeradius does not need to query the ldap server.
Surely that means that when the password is changed the RADIUS server doesn't notice immediately?
This works with EAP-TTLS, but it does not work with EAP-PEAP. The NT-Password and LM-Password do not seem to be available to the caching module with EAP-PEAP.
My guess: EAP-TTLS tunnels standard mschap internally, so hits the mschap module. Using PEAP, you're actually doing PEAP/EAP-MSCHAPv2 (an EAP type), so the eap module calls mschap behind the scenes, and the mschap call in your config isn't used. So by the time you call cache/ldap/mschap, mschap has already been called and done its stuff. I'd first try moving eap, as per below, but I've not tested this. Matthew
sites-enabled/inner-tunnel:
authorize { update control { Cache-Status-Only = 'yes' } cache if (notfound) { ldap } else { cache } eap { ok = return } mschap }
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>