Using rlm_caching: rejects on cached requests

Jeroen Scheerder Jeroen.Scheerder at on2it.net
Thu Apr 26 09:43:59 CEST 2012 

On 23 Apr 2012(Q2, W17), at 12:09, Jeroen Scheerder wrote:

> What I'd like to acomplish is:
> 
> 	- Cache authentication requests
> 	- Uncached or expired requests are passed on to the proxy
> 	- Cached authentication requests are handled (within the specified TTL)
> 
> I've set up caching, and I see some of it working.

With a little more work, I've narrowed my problem down to the caching_postauth function in rlm_caching.c.

It reads:

""
        if ((auth_type = pairfind(request->config_items, PW_AUTH_TYPE)) != NULL){
                DEBUG("rlm_caching: Found Auth-Type, value: '%s'",auth_type->vp_strvalue);
                if (strcmp(auth_type->vp_strvalue,"Reject") == 0 && data->cache_rejects == 0){
                        DEBUG("rlm_caching: No caching of Rejects. Returning NOOP");
                        return RLM_MODULE_NOOP;
                }
                if (strlen(auth_type->vp_strvalue) > MAX_AUTH_TYPE - 1){
                        DEBUG("rlm_caching: Auth-Type value too large");
                        return RLM_MODULE_NOOP;
                }
        }
""

When ran, this results in:

	rlm_caching: Found Auth-Type, value: ''

… when caching an already accepted authentication request.  Subsequent requests are actually found in the cache and handled:

rlm_caching: Searching the database for key 'on2it-js at rsa.on2it.net:480378:172.17.202.55'
rlm_caching: Key Found.
rlm_caching: VP='Class',VALUE='default_group',lenth='14',cache record length='39'
rlm_caching: Adding Auth-Type ''
rlm_caching: Cache Queries:       5, Cache Hits:       1, Hit Ratio: 20.00%
++[caching] returns ok

However, the cached Auth-Type of '' poses a problem:

Found Auth-Type = Local
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
No "known good" password was configured for the user.
As a result, we cannot authenticate the user.
Failed to authenticate the user.
Using Post-Auth-Type Reject

I've modified rlm_caching.c thusly:

        if ((auth_type = pairfind(request->config_items, PW_AUTH_TYPE)) != NULL){
                DEBUG("rlm_caching: Found Auth-Type, value: '%s'",auth_type->vp_strvalue);
                /* JS - set Auth-Type to 'Accept' if unset */
                if (strcmp(auth_type->vp_strvalue,"") == 0){
                        DEBUG("rlm_caching: Auth-Type unset, assigning value: '%s'", "Accept");
                        strcpy(auth_type->vp_strvalue, "Accept");
                }
                if (strcmp(auth_type->vp_strvalue,"Reject") == 0 && data->cache_rejects == 0){
                        DEBUG("rlm_caching: No caching of Rejects. Returning NOOP");
                        return RLM_MODULE_NOOP;
                }
                if (strlen(auth_type->vp_strvalue) > MAX_AUTH_TYPE - 1){
                        DEBUG("rlm_caching: Auth-Type value too large");
                        return RLM_MODULE_NOOP;
                }
        }

This has the following effect:

rlm_caching: Found Auth-Type, value: ''
rlm_caching: Auth-Type unset, assigning value: 'Accept'
[…]
rlm_caching: New value stored successfully.
++[caching] returns ok
Sending Access-Accept of id 72 to 127.0.0.1 port 56586
	User-Name = "testing"
	NAS-IP-Address = 172.17.202.55
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 63643, id=178, length=77
	User-Name = "testing"
	User-Password = "password"
	NAS-IP-Address = 172.17.202.55
	NAS-Port = 0
	Message-Authenticator = 0x22ec5564c881d6ba20af882fa2369b31
# Executing section authorize from file /root/etc/raddb/sites-enabled/default
[…]
[caching] 	expand: %{User-Name}:%{User-Password}:%{NAS-IP-Address} -> testing:password:172.17.202.55
rlm_caching: Searching the database for key 'testing:password:172.17.202.55'
rlm_caching: Key Found.
rlm_caching: VP='User-Name',VALUE='testing',lenth='7',cache record length='22'
rlm_caching: VP='NAS-IP-Address',VALUE='172.17.202.55',lenth='4',cache record length='53'
rlm_caching: Adding Auth-Type 'Accept'
rlm_caching: Cache Queries:       2, Cache Hits:       2, Hit Ratio: 100.00%
++[caching] returns ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user

Note that actual rejects don't seem to make the caching_postauth function, for whatever reason.

This seems to be working.  No doubt somebody'll step in and tell me how utterly wrong this is. :-)

Still, I'm content so far.  But I have one more thing to take care of: I'd like to enable caching only for specific clients.  How could I acomplish that?


Regards, Jeroen.
-- 
Jeroen Scheerder
ON2IT B.V.
Steenweg 17 B
4181 AJ WAARDENBURG
T: +31 418-653818 | F: +31 418-653716
W: www.on2it.net  | E: Jeroen.Scheerder at on2it.net

Premier Business Partner - IBM  |  Reseller of the Year 2011 - Palo Alto Networks

More information about the Freeradius-Users mailing list