Caching techniques with ntlm_auth usage? (EAP-PEAP-MSchapV2)
Phil Mayers
p.mayers at imperial.ac.uk
Sat Mar 5 01:45:43 CET 2011
On 03/05/2011 12:21 AM, Gary Gatten wrote:
> I kinda like your caching idea, but not sure of any security
> implications.
It's not a workable idea. MSCHAP responses are specific to the 8-byte
random challenge, which is different every time. You can't cache them.
>
> I have (2) FR servers (each pointing to different DC) and my NAS's
> are configured to use both. But, iirc if AD is down on the backend
> FR still replies (with something) so the NAS never rolls over to the
> other FR server.
Yes, this is a bad idea.
Just configure samba to autodiscover the AD controllers. Winbind will
cache connections and open new ones when the old ones go away.
>
> So, I thought about some script that would use ntlm_auth every...n
> seconds, if it fails kill FR process (or use FR policy to act dead).
> When it starts working again, restart FR. This should make the NAS
> roll to the next FR server.
That might work, but it seems like a sledgehammer to crack a nut.
>
> What about OpenLDAP on the FR server that's "refreshed" / sync'd to
> the winblows/AD? I've never tried this but assume it's doable.
It's not possible. AD controllers will only sync to other AD controllers.
At some point in the future, Samba 4 might be able to slave the LDAP
database of an AD controller, but it's purely theoretical at the moment
I think.
More information about the Freeradius-Users
mailing list