Caching techniques with ntlm_auth usage? (EAP-PEAP-MSchapV2)

Gary Gatten Ggatten at waddell.com
Sat Mar 5 01:21:58 CET 2011 

I kinda like your caching idea, but not sure of any security implications.

I have (2) FR servers (each pointing to different DC) and my NAS's are configured to use both.  But, iirc if AD is down on the backend FR still replies (with something) so the NAS never rolls over to the other FR server.

So, I thought about some script that would use ntlm_auth every...n seconds, if it fails kill FR process (or use FR policy to act dead). When it starts working again, restart FR.  This should make the NAS roll to the next FR server.

What about OpenLDAP on the FR server that's "refreshed" / sync'd to the winblows/AD?  I've never tried this but assume it's doable.

----- Original Message -----
From: John Douglass [mailto:john.douglass at oit.gatech.edu]
Sent: Friday, March 04, 2011 11:34 AM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Caching techniques with ntlm_auth usage? (EAP-PEAP-MSchapV2)

Group,

Recently, my AD servers were patched by another support group and this 
caused a (small but noticeable) service outage for our WPA radius 
services (Radius 2.1.9)

I am curious how others who are using AD as their backends have either 
configured smb.conf/winbind/radius in order to do high availability for 
authentications.

I do have configured:

smb.conf

     password server = server1.ad.gatech.edu server2.ad.gatech.edu

But that didn't seem to help with failures. What I am seeing in the logs 
(during outages such as these are)

     Mar  3 06:47:55 dvlanb radiusd[17093]: Discarding duplicate request 
from client My-WiSM port 32770 - ID: 95 due to unfinished request 466
     Mar  3 06:47:55 dvlanb radiusd[17093]: Child PID 17274 is taking 
too much time: forcing failure and killing child.

I am pretty certain this is from a non-responsive "ntlm_auth" call.

I have searched for options to winbind and ntlm_auth that might assist 
in caching authentication requests so that slight hiccups like these do 
not disturb our users.

I thought of possibly writing a custom "ntlm_auth" script that performs 
a cache lookup and responds correctly as ntlm_auth regularly would and 
if not valid cache entry, then try the real ntlm_auth command and then 
add a cache entry.

Does someone have any suggestions on configuration changes on radius or 
samba that might help?

from my sites-available/wpa-services file:

authorize {
     #  The preprocess module takes care of sanitizing some bizarre 
attributes in
     #  the request, and turning them into attributes which are more 
standard.
     preprocess

     #
     #  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
     #  authentication.
     eap {
         ok = return
     }

     #
     #  Look in an SQL database.  The schema of the database is meant to 
mirror the "users" file.
     sqlwpa
}


#  Authentication.
authenticate {
     #  MSCHAP authentication.
     Auth-Type MS-CHAP {
         mschap
     }

     #  Allow EAP authentication.
     eap
}

Thanks in advance,
- John Douglass, Senior Systems Architect
Georgia Institute of Technology
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>

More information about the Freeradius-Users mailing list