EAP-GTC and cache_auth
Hello, I’m searching a way to cache authentification with EAP-GTC as a EAP phase 2. It is currently very easy with PAP (as I have the User-Password in the authenticate part) but I can’t succeed to find a way to cache it with EAP-GTC. Do I miss an attribute that would help me to cache an Access-Accept in that way ? Cyril Grosjean
On Sep 12, 2022, at 6:33 AM, Grosjean Cyril <cygrosjean+freeradius@gmail.com> wrote:
I’m searching a way to cache authentification with EAP-GTC as a EAP phase 2. It is currently very easy with PAP (as I have the User-Password in the authenticate part) but I can’t succeed to find a way to cache it with EAP-GTC.
You don't cache what the user entered, i.e. User-Password or EAP-GTC. You cache the Cleartext-Password attribute which you received from the database. And why are you trying to cache EAP-GTC anyways? Does the database disappear from time to time? If so, fix the database.
Do I miss an attribute that would help me to cache an Access-Accept in that way ?
You can't cache an Access-Accept for EAP. It doesn't work, and it's *always* the wrong thing to do. Alan DeKok.
Hello Alan, On 12 Sep 2022 at 19:27:02, Alan DeKok <aland@deployingradius.com> wrote:
On Sep 12, 2022, at 6:33 AM, Grosjean Cyril < cygrosjean+freeradius@gmail.com> wrote:
I’m searching a way to cache authentification with EAP-GTC as a EAP phase 2.
It is currently very easy with PAP (as I have the User-Password in the
authenticate part) but I can’t succeed to find a way to cache it with
EAP-GTC.
You don't cache what the user entered, i.e. User-Password or EAP-GTC. You cache the Cleartext-Password attribute which you received from the database.
I’m using LDAP as bind from User so I can’t cache the Cleartext-Password.
And why are you trying to cache EAP-GTC anyways? Does the database disappear from time to time? If so, fix the database.
I’m not trying to cache the EAP-GTC but the result of authentication against LDAP with a hash of User-Name/User-Password after “Bind as User” method.
Do I miss an attribute that would help me to cache an Access-Accept in that
way ?
You can't cache an Access-Accept for EAP. It doesn't work, and it's *always* the wrong thing to do.
As said before, I’m trying to cache auth (as documented on the Google Secure LDAP setup, with an other LDAP). I have already cached User-DN (which helped me remove one LDAP search), but I want to be able to remove as much LDAP bind as possible. It is clear that on v3.2 it said that it’s only compatible with PAP (it is working with PAP flawlessly on my setup). But not with EAP-GTC as the User-Password is “converted” from GTC to PAP on the "authenticate" part and not the “authorize" part. The LDAP setup I’m facing is very complicated (lot of latencies), I may suffer hard rate-limit and it isn't possible to “fix it" from my PoV.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cyril Grosjean
On Sep 12, 2022, at 1:48 PM, Grosjean Cyril <cygrosjean+freeradius@gmail.com> wrote:
I’m using LDAP as bind from User so I can’t cache the Cleartext-Password.
That does make things more problematic.
I’m not trying to cache the EAP-GTC but the result of authentication against LDAP with a hash of User-Name/User-Password after “Bind as User” method.
I'm not sure how you cache the "result of authentication". The LDAP "bind as user" just checks a password against LDAP. If that works for EAP-GTC, then the server has extracted the password, for use in the "auth-type PAP" section. So... just cache the User-Password there.
As said before, I’m trying to cache auth (as documented on the Google Secure LDAP setup, with an other LDAP). I have already cached User-DN (which helped me remove one LDAP search), but I want to be able to remove as much LDAP bind as possible.
It is clear that on v3.2 it said that it’s only compatible with PAP (it is working with PAP flawlessly on my setup). But not with EAP-GTC as the User-Password is “converted” from GTC to PAP on the "authenticate" part and not the “authorize" part.
So? Auth-Type pap { pap if (EAP-Message && User-Password) { // cache User-Password } } That will work.
The LDAP setup I’m facing is very complicated (lot of latencies), I may suffer hard rate-limit and it isn't possible to “fix it" from my PoV.
I really dislike databases which aren't available. It's a terrible design. Alan DeKok.
On 12 Sep 2022 at 21:15:25, Alan DeKok <aland@deployingradius.com> wrote:
So?
Auth-Type pap { pap if (EAP-Message && User-Password) { // cache User-Password } }
That will work.
On my setup (again, pretty much the same as “google_ldap_auth” site), I validate the cache_auth_accept/reject on the authorize part. I’m using the debug_all module to take into advantage all the step, and I can see that it is only on the authenticate part that GTC expand the User-Password part. If I could expand the “User-Password” variable after the “eap” step in authorize, it would make my life easier (and compatible with the “google_ldap_auth” setup)" — So, I tried your suggestion that I should try the cache in the authenticate part, in the Auth-Type associated. I hope I understand you right. But again, if I’m right, it seems that cache module isn’t usable in the authenticate part ( https://github.com/FreeRADIUS/freeradius-server/blob/0962a824d7a7bd0c1c8390c... ) Should I modify my Freeradius to being able to use it in the authenticate part ? authenticate { Auth-Type PAP { if (EAP-Type == "GTC" && User-Password) { update control { &Cache-Read-Only := "yes" } cache_auth_accept if (ok) { update { &control:Auth-Type := Accept } return } else { ldap } } else { ldap } } If I want to do that, I need to modify the src/modules/rlm_cache/rlm_cache.c : diff --git a/src/modules/rlm_cache/rlm_cache.c b/src/modules/rlm_cache/rlm_cache.c index 07fa098f45..9924cc2c8a 100644 --- a/src/modules/rlm_cache/rlm_cache.c +++ b/src/modules/rlm_cache/rlm_cache.c @@ -829,6 +829,7 @@ module_t rlm_cache = { .detach = mod_detach, .methods = { [MOD_AUTHORIZE] = mod_cache_it, + [MOD_AUTHENTICATE] = mod_cache_it, [MOD_PREACCT] = mod_cache_it, [MOD_ACCOUNTING] = mod_cache_it, [MOD_PRE_PROXY] = mod_cache_it, After compiling this, it start to work but I have a feeling that it is not correct on Freeradius model. Am I missing something ? Cyril Grosjean
On 12 Sep 2022 at 21:15:25, Alan DeKok <aland@deployingradius.com> wrote:
So?
Auth-Type pap { pap if (EAP-Message && User-Password) { // cache User-Password } }
That will work.
On my setup (again, pretty much the same as “google_ldap_auth” site), I validate the cache_auth_accept/reject on the authorize part. I’m using the debug_all module to take into advantage all the step, and I can see that it is only on the authenticate part that GTC expand the User-Password part. If I could expand the “User-Password” variable after the “eap” step in authorize, it would make my life easier (and compatible with the “google_ldap_auth” setup)" — So, I tried your suggestion that I should try the cache in the authenticate part, in the Auth-Type associated. I hope I understand you right. But again, if I’m right, it seems that cache module isn’t usable in the authenticate part ( https://github.com/FreeRADIUS/freeradius-server/blob/0962a824d7a7bd0c1c8390c... ) Should I modify my Freeradius to being able to use it in the authenticate part ? authenticate { Auth-Type PAP { if (EAP-Type == "GTC" && User-Password) { update control { &Cache-Read-Only := "yes" } cache_auth_accept if (ok) { update { &control:Auth-Type := Accept } return } else { ldap } } else { ldap } } If I want to do that, I need to modify the src/modules/rlm_cache/rlm_cache.c : diff --git a/src/modules/rlm_cache/rlm_cache.c b/src/modules/rlm_cache/rlm_cache.c index 07fa098f45..9924cc2c8a 100644 --- a/src/modules/rlm_cache/rlm_cache.c +++ b/src/modules/rlm_cache/rlm_cache.c @@ -829,6 +829,7 @@ module_t rlm_cache = { .detach = mod_detach, .methods = { [MOD_AUTHORIZE] = mod_cache_it, + [MOD_AUTHENTICATE] = mod_cache_it, [MOD_PREACCT] = mod_cache_it, [MOD_ACCOUNTING] = mod_cache_it, [MOD_PRE_PROXY] = mod_cache_it, After compiling this, it start to work but I have a feeling that it is not correct on Freeradius model. Am I missing something ? Cyril Grosjean
On Sep 13, 2022, at 2:39 PM, Grosjean Cyril <cygrosjean+freeradius@gmail.com> wrote:
On my setup (again, pretty much the same as “google_ldap_auth” site), I validate the cache_auth_accept/reject on the authorize part.
That doesn't work for EAP-GTC.
I’m using the debug_all module to take into advantage all the step, and I can see that it is only on the authenticate part that GTC expand the User-Password part. If I could expand the “User-Password” variable after the “eap” step in authorize, it would make my life easier (and compatible with the “google_ldap_auth” setup)"
— So, I tried your suggestion that I should try the cache in the authenticate part, in the Auth-Type associated. I hope I understand you right.
But again, if I’m right, it seems that cache module isn’t usable in the authenticate part ( https://github.com/FreeRADIUS/freeradius-server/blob/0962a824d7a7bd0c1c8390c... ) Should I modify my Freeradius to being able to use it in the authenticate part ?
No. You can run the "authorize" method of the cache module by doing: cache_auth_accept.authorize Alan DeKok.
On 13 Sep 2022 at 20:56:55, Alan DeKok <aland@deployingradius.com> wrote:
No. You can run the "authorize" method of the cache module by doing:
cache_auth_accept.authorize
Thank you, I also saw that you took my code and implemented it in v.3.2.0. I would have made a MR if you told me that it was OK 🙂 It is working great now. Cyril
participants (2)
-
Alan DeKok -
Grosjean Cyril