rlm_cache and ntlm_auth

John Douglass john.douglass at oit.gatech.edu
Mon Nov 25 15:46:35 CET 2013


Jonathan,

I have had some success on our servers with the EAP caching available in 
the eap.conf file within the tls {} block. It does take some additional 
work to save/restore attributes from the cache, but it's been successful 
for me for _some_ subset of authentications in not having to go all the 
way to AD during the cache time.

It's going to totally depend upon client behavior/capabilities.

- JohnD



On 11/25/2013 08:15 AM, Arran Cudbard-Bell wrote:
> On 25 Nov 2013, at 12:26, Jonathan Gazeley <jonathan.gazeley at bristol.ac.uk> wrote:
>
>> Probably a simple question, but I've Googled it and I can't find the answer.
>>
>> Is it possible to wrap an ntlm_auth backend in rlm_cache? Our active directory is frequently quite slow. If we were able to grab at least some of these authentications from the cache I think it would help a lot.
>>
>> I don't know exactly what data is returned from NTLM, is it cacheable or does it have to be fresh each time? By the fact that I haven't found any mention of anyone doing this, I suspect it's probably not possible.
>>
> For PAP yes, for MSCHAPv2 no (challenge/response).
>
> -Arran
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list