Hi, I`m playing with rlm_cache. I want to cache auth request to speed up future processing of the same auth request. If I send second request (the same as first one), I got reject :(. Could you please help, me. Thx. mods-enabled/cache: ... update { request: := &request: control: := &control: reply: := &reply: } ... sites-enabled/default: authorize { verify_nas preprocess chap suffix update control { Cache-Status-Only := 'yes' } cache if (notfound) { files update control { Cache-Status-Only := 'no' } cache } pap } Debug output: radiusd: FreeRADIUS Version 3.0.3, for host i686-pc-linux-gnu, built on Sep 1 2014 at 21:59:53 Copyright (C) 1999-2014 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /mnt/sdcard/software/freeradius-server-3.0.3/share/freeradius/dictionary including dictionary file /mnt/sdcard/software/freeradius-server-3.0.3/share/freeradius/dictionary.dhcp including dictionary file /mnt/sdcard/software/freeradius-server-3.0.3/share/freeradius/dictionary.vqp including dictionary file ./dictionary including configuration file ./radiusd.conf including configuration file ./proxy.conf including configuration file ./clients.conf including files in directory ./mods-enabled/ including configuration file ./mods-enabled/digest including configuration file ./mods-enabled/pap including configuration file ./mods-enabled/cache including configuration file ./mods-enabled/attr_filter including configuration file ./mods-enabled/chap including configuration file ./mods-enabled/linelog including configuration file ./mods-enabled/expr including configuration file ./mods-enabled/preprocess including configuration file ./mods-enabled/realm including configuration file ./mods-enabled/unpack including configuration file ./mods-enabled/files including configuration file ./mods-enabled/always including files in directory ./policy.d/ including configuration file ./policy.d/cui including configuration file ./policy.d/control including configuration file ./policy.d/filter including configuration file ./policy.d/eap including configuration file ./policy.d/nas including configuration file ./policy.d/accounting including configuration file ./policy.d/dhcp including configuration file ./policy.d/operator-name including configuration file ./policy.d/canonicalization including files in directory ./sites-enabled/ including configuration file ./sites-enabled/default main { name = "radiusd" prefix = "/mnt/sdcard/software/freeradius-server-3.0.3" localstatedir = "/mnt/sdcard/software/freeradius-server-3.0.3/var" sbindir = "/mnt/sdcard/software/freeradius-server-3.0.3/sbin" logdir = "/mnt/sdcard/software/freeradius-server-3.0.3/var/log/radius" run_dir = "/mnt/sdcard/software/freeradius-server-3.0.3/var/run/radiusd" libdir = "/mnt/sdcard/software/freeradius-server-3.0.3/lib" radacctdir = "/mnt/sdcard/software/freeradius-server-3.0.3/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/mnt/sdcard/software/freeradius-server-3.0.3/var/run/radiusd/radiusd.pid" checkrad = "/mnt/sdcard/software/freeradius-server-3.0.3/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes colourise = yes msg_denied = "You are already logged in - access denied" } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = "yes" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } radiusd: #### Instantiating modules #### instantiate { } modules { # Loaded module rlm_digest # Instantiating module "digest" from file ./mods-enabled/digest # Loaded module rlm_pap # Instantiating module "pap" from file ./mods-enabled/pap pap { normalise = yes } # Loaded module rlm_cache # Instantiating module "cache" from file ./mods-enabled/cache cache { key = "%{User-Name}" ttl = 86400 max_entries = 16384 epoch = 0 add_stats = yes } # Loaded module rlm_attr_filter # Instantiating module "attr_filter.post-proxy" from file ./mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "./mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } reading pairlist file ./mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file ./mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "./mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file ./mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file ./mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "./mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file ./mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file ./mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "./mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file ./mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file ./mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "./mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file ./mods-config/attr_filter/accounting_response # Loaded module rlm_chap # Instantiating module "chap" from file ./mods-enabled/chap # Loaded module rlm_linelog # Instantiating module "linelog" from file ./mods-enabled/linelog linelog { filename = "/mnt/sdcard/software/freeradius-server-3.0.3/var/log/radius/linelog" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{Packet-Type}:-default}" } # Instantiating module "log_accounting" from file ./mods-enabled/linelog linelog log_accounting { filename = "/mnt/sdcard/software/freeradius-server-3.0.3/var/log/radius/linelog-accounting" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_expr # Instantiating module "expr" from file ./mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } # Loaded module rlm_preprocess # Instantiating module "preprocess" from file ./mods-enabled/preprocess preprocess { huntgroups = "./mods-config/preprocess/huntgroups" hints = "./mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file ./mods-config/preprocess/huntgroups reading pairlist file ./mods-config/preprocess/hints # Loaded module rlm_realm # Instantiating module "IPASS" from file ./mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Instantiating module "suffix" from file ./mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Instantiating module "realmpercent" from file ./mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Instantiating module "ntdomain" from file ./mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } # Loaded module rlm_unpack # Instantiating module "unpack" from file ./mods-enabled/unpack # Loaded module rlm_files # Instantiating module "files" from file ./mods-enabled/files files { filename = "./mods-config/files/authorize" usersfile = "./mods-config/files/authorize" acctusersfile = "./mods-config/files/accounting" preproxy_usersfile = "./mods-config/files/pre-proxy" compat = "cistron" } reading pairlist file ./mods-config/files/authorize [./mods-config/files/authorize]:83 Cistron compatibility checks for entry dummy ... [./mods-config/files/authorize]:191 Cistron compatibility checks for entry DEFAULT ... [./mods-config/files/authorize]:198 Cistron compatibility checks for entry DEFAULT ... [./mods-config/files/authorize]:205 Cistron compatibility checks for entry DEFAULT ... reading pairlist file ./mods-config/files/authorize [./mods-config/files/authorize]:83 Cistron compatibility checks for entry dummy ... [./mods-config/files/authorize]:191 Cistron compatibility checks for entry DEFAULT ... [./mods-config/files/authorize]:198 Cistron compatibility checks for entry DEFAULT ... [./mods-config/files/authorize]:205 Cistron compatibility checks for entry DEFAULT ... reading pairlist file ./mods-config/files/accounting reading pairlist file ./mods-config/files/pre-proxy # Loaded module rlm_always # Instantiating module "reject" from file ./mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Instantiating module "fail" from file ./mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Instantiating module "ok" from file ./mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Instantiating module "handled" from file ./mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Instantiating module "invalid" from file ./mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Instantiating module "userlock" from file ./mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Instantiating module "notfound" from file ./mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Instantiating module "noop" from file ./mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Instantiating module "updated" from file ./mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } } # modules radiusd: #### Loading Virtual Servers #### server { # from file ./radiusd.conf } # server server default { # from file ./sites-enabled/default # Loading authenticate {...} # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading post-auth {...} } # server default radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address * port 1812 as server default Listening on acct address * port 1813 as server default Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 53265 Ready to process requests. Received Access-Request Id 34 from 127.0.0.1:51488 to 127.0.0.1:1812 length 95 NAS-Port-Type = Virtual Service-Type = Framed-User Framed-Protocol = PPP User-Name = 'dummy' User-Password = 'dummy' Connect-Info = '8640000' NAS-Port = 411 NAS-Port-Id = 'Uniq-Sess-ID411' (0) # Executing section authorize from file ./sites-enabled/default (0) authorize { (0) verify_nas verify_nas { (0) if ( ! NAS-IP-Address ) (0) if ( ! NAS-IP-Address ) -> TRUE (0) if ( ! NAS-IP-Address ) { (0) update { (0) EXPAND %{Packet-Src-IP-Address} (0) --> 127.0.0.1 (0) NAS-IP-Address := 127.0.0.1 (0) } # update = noop (0) } # if ( ! NAS-IP-Address ) = noop (0) } # verify_nas verify_nas = noop (0) [preprocess] = ok (0) [chap] = noop (0) suffix : No '@' in User-Name = "dummy", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) update control { (0) Cache-Status-Only := yes (0) } # update control = noop (0) cache : EXPAND %{User-Name} (0) cache : --> dummy (0) [cache] = notfound (0) if (notfound) (0) if (notfound) -> TRUE (0) if (notfound) { (0) files : users: Matched entry dummy at line 83 (0) [files] = ok (0) update control { (0) Cache-Status-Only := no (0) } # update control = noop (0) cache : EXPAND %{User-Name} (0) cache : --> dummy (0) cache : Creating entry for "dummy" (0) cache : request: := &request:NAS-Port-Type (0) cache : request: := &request:Service-Type (0) cache : request: := &request:Framed-Protocol (0) cache : request: := &request:User-Name (0) cache : request: := &request:User-Password (0) cache : request: := &request:Connect-Info (0) cache : request: := &request:NAS-Port (0) cache : request: := &request:NAS-Port-Id (0) cache : request: := &request:NAS-IP-Address (0) cache : request: := &request:Huntgroup-Name (0) cache : control: := &config:Cleartext-Password (0) cache : skipping Cache-Status-Only (0) cache : reply: := &reply:Service-Type (0) cache : reply: := &reply:Framed-Protocol (0) cache : reply: := &reply:Framed-IP-Address (0) cache : reply: := &reply:Framed-IP-Netmask (0) cache : reply: := &reply:Framed-Routing (0) cache : reply: := &reply:Framed-Filter-Id (0) cache : reply: := &reply:Framed-MTU (0) cache : reply: := &reply:Framed-Compression (0) cache : Inserted entry, TTL 86400 seconds (0) [cache] = updated (0) } # if (notfound) = updated (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file ./sites-enabled/default (0) Auth-Type PAP { (0) pap : Login attempt with password (0) pap : User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) Login OK: [dummy/dummy] (from client localhost port 411) (0) # Executing section post-auth from file ./sites-enabled/default (0) post-auth { (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (reply:EAP-Message && reply:Reply-Message) (0) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # post-auth = noop Sending Access-Accept Id 34 from 127.0.0.1:1812 to 127.0.0.1:51488 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = 'std.ppp' Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP (0) Finished request Waking up in 0.3 seconds. Waking up in 4.6 seconds. (0) Cleaning up request packet ID 34 with timestamp +3 Ready to process requests. Received Access-Request Id 243 from 127.0.0.1:59013 to 127.0.0.1:1812 length 95 NAS-Port-Type = Virtual Service-Type = Framed-User Framed-Protocol = PPP User-Name = 'dummy' User-Password = 'dummy' Connect-Info = '8640000' NAS-Port = 411 NAS-Port-Id = 'Uniq-Sess-ID411' (1) # Executing section authorize from file ./sites-enabled/default (1) authorize { (1) verify_nas verify_nas { (1) if ( ! NAS-IP-Address ) (1) if ( ! NAS-IP-Address ) -> TRUE (1) if ( ! NAS-IP-Address ) { (1) update { (1) EXPAND %{Packet-Src-IP-Address} (1) --> 127.0.0.1 (1) NAS-IP-Address := 127.0.0.1 (1) } # update = noop (1) } # if ( ! NAS-IP-Address ) = noop (1) } # verify_nas verify_nas = noop (1) [preprocess] = ok (1) [chap] = noop (1) suffix : No '@' in User-Name = "dummy", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop (1) update control { (1) Cache-Status-Only := yes (1) } # update control = noop (1) cache : EXPAND %{User-Name} (1) cache : --> dummy (1) cache : Found entry for "dummy" (1) [cache] = ok (1) if (notfound) (1) if (notfound) -> FALSE (1) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type. (1) WARNING: pap : Authentication will fail unless a "known good" password is available. (1) [pap] = noop (1) } # authorize = ok (1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (1) Failed to authenticate the user. (1) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [dummy/dummy] (from client localhost port 411) (1) Using Post-Auth-Type Reject (1) # Executing group from file ./sites-enabled/default (1) Post-Auth-Type REJECT { (1) remove_reply_message_if_eap remove_reply_message_if_eap { (1) if (reply:EAP-Message && reply:Reply-Message) (1) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (1) else else { (1) [noop] = noop (1) } # else else = noop (1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = noop (1) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Sending delayed response Sending Access-Reject Id 243 from 127.0.0.1:1812 to 127.0.0.1:59013 Waking up in 3.9 seconds. (1) Cleaning up request packet ID 243 with timestamp +10 Ready to process requests. Peter