Using rlm_caching: rejects on cached requests

Jeroen Scheerder js at on2it.net
Mon Apr 23 12:09:26 CEST 2012


Hi,

We have a SSL-VPN client that authenticates in two stages.  When using authentication with RSA OTP tokens, the second request is considered to be a replay by the RSA server, and denied for that reason.

The authentication itself is handled by proxy through a Freeradius server (2.1.12 with experimental modules).

What I'd like to acomplish is:

	- Cache authentication requests
	- Uncached or expired requests are passed on to the proxy
	- Cached authentication requests are handled (within the specified TTL)

I've set up caching, and I see some of it working.  From the debug output, I see this for the first request:

---- Snip ----
+- entering group authorize {...}
[preprocess] 	expand: %{User-Name} -> js
[preprocess]   hints: Matched DEFAULT at 80
[preprocess] 	expand: on2it-%{User-Name}@rsa.on2it.net -> on2it-js at rsa.on2it.net
++[preprocess] returns ok
[caching] 	expand: %{User-Name}:%{User-Password}:%{NAS-IP-Address} -> on2it-js at rsa.on2it.net:480378:172.17.202.55
rlm_caching: Searching the database for key 'on2it-js at rsa.on2it.net:480378:172.17.202.55'
rlm_caching: Could not find the requested key in the database.
rlm_caching: Cache Queries:       4, Cache Hits:       0, Hit Ratio: 0.00%
[…]
[then we see the proxy request being handled, successfully]
[…]
+- entering group post-auth {...}
++[exec] returns noop
rlm_caching: Found Auth-Type, value: ''
[caching] 	expand: %{User-Name}:%{User-Password}:%{NAS-IP-Address} -> on2it-js at rsa.on2it.net:480378:172.17.202.55
rlm_caching: VP=Class,VALUE=default_group,length=38,cache record length=39, space left=711
rlm_caching: Storing cache for Key='on2it-js at rsa.on2it.net:480378:172.17.202.55'
rlm_caching: New value stored successfully.
++[caching] returns ok
Sending Access-Accept of id 69 to 127.0.0.1 port 18782
	Class = 0x64656661756c745f67726f757000
---- pinS ----

This all seems more or less plausible, except for "Found Auth-Type, value: ''"

For the second request (fired within a few seconds), I see:

---- Snip ----
Executing section authorize from file /root/etc/raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess] 	expand: %{User-Name} -> js
[preprocess]   hints: Matched DEFAULT at 80
[preprocess] 	expand: on2it-%{User-Name}@rsa.on2it.net -> on2it-js at rsa.on2it.net
++[preprocess] returns ok
[caching] 	expand: %{User-Name}:%{User-Password}:%{NAS-IP-Address} -> on2it-js at rsa.on2it.net:480378:172.17.202.55
rlm_caching: Searching the database for key 'on2it-js at rsa.on2it.net:480378:172.17.202.55'
rlm_caching: Key Found.
rlm_caching: VP='Class',VALUE='default_group',lenth='14',cache record length='39'
rlm_caching: Adding Auth-Type ''
rlm_caching: Cache Queries:       5, Cache Hits:       1, Hit Ratio: 20.00%
++[caching] returns ok
Found Auth-Type = Local
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No "known good" password was configured for the user.
As a result, we cannot authenticate the user.
Failed to authenticate the user.
Using Post-Auth-Type Reject
---- pinS ----

So I'm getting a Reject for a cached Accept, in effect, and that seems to be due to the Auth-Type.

This happens equally for non-proxied requests, i.e. with the following entry in "users":

	testing Cleartext-Password := "password"
               User-Name = "%{User-Name}",
               NAS-IP-Address = "%{NAS-IP-Address}"


What am I missing, and what can I do to get cached authentication requests handled?


TIA, JS.


-- 
Jeroen Scheerder
ON2IT B.V.
Steenweg 17 B
4181 AJ WAARDENBURG
T: +31 418-653818 | F: +31 418-653716
W: www.on2it.net  | E: Jeroen.Scheerder at on2it.net

Premier Business Partner - IBM  |  Reseller of the Year 2011 - Palo Alto Networks



More information about the Freeradius-Users mailing list