Cache One Time Password OTP

Arran Cudbard-Bell a.cudbardb at
Wed Feb 25 23:08:54 CET 2015

> The ThinLinc documentation ( states in its requirements.
> "
> An OTP server which accepts the OTP twice. This is due to the ThinLinc architecture: The client first contacts the master machine, and then the agent host. The NordicEdge One Time Password Server has built-in support for ThinLinc. When using RSA SecurID, we recommend using the Steel-Belted Radius server as a "Token Caching Server".
> "
> I don't want to setup Steel-Belted Radius, or RADIATOR.  I'd rather use freeradius.   I found something in the archives that I belive is exactly what I need.  I'm just not sure how to go about setting it up.
> It may be my version of freeradius is too old to use this particular type of caching.  I'm using  freeradius-server  2.1.1-7.18.1  SLES11-SP3
> Hopefully This clears things up a little.

Assuming you have an architecture like:

thinLinc1 -|- FreeRADIUS - LDAP<sasl><yubikey plugin>
thinLinc2 -|

Yes you can use rlm_cache to allow the same password to be used within a given window without sending it to LDAP. Your version of FreeRADIUS does not support caching. It is very old. You can upgrade to 2.2.6 which should be config compatible, and does support caching.

You'll have to be careful when defining your policy to only allow duplicate auths from servers within the same cluster, else you'll break the replay protection.

Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list