Using rlm_caching: rejects on cached requests
Jeroen Scheerder
js at on2it.net
Mon Apr 23 12:09:26 CEST 2012
Hi,
We have a SSL-VPN client that authenticates in two stages. When using authentication with RSA OTP tokens, the second request is considered to be a replay by the RSA server, and denied for that reason.
The authentication itself is handled by proxy through a Freeradius server (2.1.12 with experimental modules).
What I'd like to acomplish is:
- Cache authentication requests
- Uncached or expired requests are passed on to the proxy
- Cached authentication requests are handled (within the specified TTL)
I've set up caching, and I see some of it working. From the debug output, I see this for the first request:
---- Snip ----
+- entering group authorize {...}
[preprocess] expand: %{User-Name} -> js
[preprocess] hints: Matched DEFAULT at 80
[preprocess] expand: on2it-%{User-Name}@rsa.on2it.net -> on2it-js at rsa.on2it.net
++[preprocess] returns ok
[caching] expand: %{User-Name}:%{User-Password}:%{NAS-IP-Address} -> on2it-js at rsa.on2it.net:480378:172.17.202.55
rlm_caching: Searching the database for key 'on2it-js at rsa.on2it.net:480378:172.17.202.55'
rlm_caching: Could not find the requested key in the database.
rlm_caching: Cache Queries: 4, Cache Hits: 0, Hit Ratio: 0.00%
[…]
[then we see the proxy request being handled, successfully]
[…]
+- entering group post-auth {...}
++[exec] returns noop
rlm_caching: Found Auth-Type, value: ''
[caching] expand: %{User-Name}:%{User-Password}:%{NAS-IP-Address} -> on2it-js at rsa.on2it.net:480378:172.17.202.55
rlm_caching: VP=Class,VALUE=default_group,length=38,cache record length=39, space left=711
rlm_caching: Storing cache for Key='on2it-js at rsa.on2it.net:480378:172.17.202.55'
rlm_caching: New value stored successfully.
++[caching] returns ok
Sending Access-Accept of id 69 to 127.0.0.1 port 18782
Class = 0x64656661756c745f67726f757000
---- pinS ----
This all seems more or less plausible, except for "Found Auth-Type, value: ''"
For the second request (fired within a few seconds), I see:
---- Snip ----
Executing section authorize from file /root/etc/raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess] expand: %{User-Name} -> js
[preprocess] hints: Matched DEFAULT at 80
[preprocess] expand: on2it-%{User-Name}@rsa.on2it.net -> on2it-js at rsa.on2it.net
++[preprocess] returns ok
[caching] expand: %{User-Name}:%{User-Password}:%{NAS-IP-Address} -> on2it-js at rsa.on2it.net:480378:172.17.202.55
rlm_caching: Searching the database for key 'on2it-js at rsa.on2it.net:480378:172.17.202.55'
rlm_caching: Key Found.
rlm_caching: VP='Class',VALUE='default_group',lenth='14',cache record length='39'
rlm_caching: Adding Auth-Type ''
rlm_caching: Cache Queries: 5, Cache Hits: 1, Hit Ratio: 20.00%
++[caching] returns ok
Found Auth-Type = Local
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No "known good" password was configured for the user.
As a result, we cannot authenticate the user.
Failed to authenticate the user.
Using Post-Auth-Type Reject
---- pinS ----
So I'm getting a Reject for a cached Accept, in effect, and that seems to be due to the Auth-Type.
This happens equally for non-proxied requests, i.e. with the following entry in "users":
testing Cleartext-Password := "password"
User-Name = "%{User-Name}",
NAS-IP-Address = "%{NAS-IP-Address}"
What am I missing, and what can I do to get cached authentication requests handled?
TIA, JS.
--
Jeroen Scheerder
ON2IT B.V.
Steenweg 17 B
4181 AJ WAARDENBURG
T: +31 418-653818 | F: +31 418-653716
W: www.on2it.net | E: Jeroen.Scheerder at on2it.net
Premier Business Partner - IBM | Reseller of the Year 2011 - Palo Alto Networks
More information about the Freeradius-Users
mailing list