Caching techniques with ntlm_auth usage? (EAP-PEAP-MSchapV2)

John Douglass john.douglass at oit.gatech.edu
Fri Mar 4 18:34:26 CET 2011 

Group,

Recently, my AD servers were patched by another support group and this 
caused a (small but noticeable) service outage for our WPA radius 
services (Radius 2.1.9)

I am curious how others who are using AD as their backends have either 
configured smb.conf/winbind/radius in order to do high availability for 
authentications.

I do have configured:

smb.conf

     password server = server1.ad.gatech.edu server2.ad.gatech.edu

But that didn't seem to help with failures. What I am seeing in the logs 
(during outages such as these are)

     Mar  3 06:47:55 dvlanb radiusd[17093]: Discarding duplicate request 
from client My-WiSM port 32770 - ID: 95 due to unfinished request 466
     Mar  3 06:47:55 dvlanb radiusd[17093]: Child PID 17274 is taking 
too much time: forcing failure and killing child.

I am pretty certain this is from a non-responsive "ntlm_auth" call.

I have searched for options to winbind and ntlm_auth that might assist 
in caching authentication requests so that slight hiccups like these do 
not disturb our users.

I thought of possibly writing a custom "ntlm_auth" script that performs 
a cache lookup and responds correctly as ntlm_auth regularly would and 
if not valid cache entry, then try the real ntlm_auth command and then 
add a cache entry.

Does someone have any suggestions on configuration changes on radius or 
samba that might help?

from my sites-available/wpa-services file:

authorize {
     #  The preprocess module takes care of sanitizing some bizarre 
attributes in
     #  the request, and turning them into attributes which are more 
standard.
     preprocess

     #
     #  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
     #  authentication.
     eap {
         ok = return
     }

     #
     #  Look in an SQL database.  The schema of the database is meant to 
mirror the "users" file.
     sqlwpa
}


#  Authentication.
authenticate {
     #  MSCHAP authentication.
     Auth-Type MS-CHAP {
         mschap
     }

     #  Allow EAP authentication.
     eap
}

Thanks in advance,
- John Douglass, Senior Systems Architect
Georgia Institute of Technology

More information about the Freeradius-Users mailing list