Caching techniques with ntlm_auth usage? (EAP-PEAP-MSchapV2)

Phil Mayers p.mayers at imperial.ac.uk
Sat Mar 5 01:45:43 CET 2011


On 03/05/2011 12:21 AM, Gary Gatten wrote:
> I kinda like your caching idea, but not sure of any security
> implications.

It's not a workable idea. MSCHAP responses are specific to the 8-byte
random challenge, which is different every time. You can't cache them.

>
> I have (2) FR servers (each pointing to different DC) and my NAS's
> are configured to use both.  But, iirc if AD is down on the backend
> FR still replies (with something) so the NAS never rolls over to the
> other FR server.

Yes, this is a bad idea.

Just configure samba to autodiscover the AD controllers. Winbind will 
cache connections and open new ones when the old ones go away.

>
> So, I thought about some script that would use ntlm_auth every...n
> seconds, if it fails kill FR process (or use FR policy to act dead).
> When it starts working again, restart FR.  This should make the NAS
> roll to the next FR server.

That might work, but it seems like a sledgehammer to crack a nut.

>
> What about OpenLDAP on the FR server that's "refreshed" / sync'd to
> the winblows/AD?  I've never tried this but assume it's doable.

It's not possible. AD controllers will only sync to other AD controllers.

At some point in the future, Samba 4 might be able to slave the LDAP 
database of an AD controller, but it's purely theoretical at the moment 
I think.



More information about the Freeradius-Users mailing list