rlm_cache NT-Password with EAP-PEAP

Sherker, Donald Donald.Sherker at mybrighthouse.com
Fri Feb 27 17:04:04 CET 2015 

We are trying to setup a freeradius 3.0.7 server that uses EAP-PEAP and EAP-TTLS, both with MSCHAPv2.  This server reads a users Cleartext-Password from an ldap server.  In order to minimize the calls to the ldap server we are trying to use rlm_cache to cache the NT-Password and LM-Password so that when a user logs in after the initial log in freeradius does not need to query the ldap server.  This works with EAP-TTLS, but it does not work with EAP-PEAP.  The NT-Password and LM-Password do not seem to be available to the caching module with EAP-PEAP.

I am pasting the parts of the config files related to this below.  Please let me know if there is any other information needed.


mods-enabled/cache:

        update {
                control:NT-Password := "%{control:NT-Password}"
                control:LM-Password := "%{control:LM-Password}"
        }

mods-enabled/eap:

eap {
        default_eap_type = peap
        ignore_unknown_eap_types = no

        ttls {
                tls = tls-common
                default_eap_type = mschapv2
                copy_request_to_tunnel = no
                use_tunneled_reply = no
                virtual_server = "inner-tunnel"
        }

        peap {
                tls = tls-common
                default_eap_type = mschapv2
                copy_request_to_tunnel = no
                use_tunneled_reply = no
                proxy_tunneled_request_as_eap = no
                virtual_server = "inner-tunnel"
        }
}


sites-enabled/inner-tunnel:

authorize {
        eap {
                ok = return
        }
        update control {
                Cache-Status-Only = 'yes'
        }
        cache
        if (notfound) {
                ldap
        }
        else {
                cache
        }
        mschap
}


post-auth {
        cache
}


I am also posting excerpts from the debug, again if more is needed let me know.

This is for en EAP-TTLS session:

Tue Feb 24 16:32:57 2015 : Debug: (7)       modsingle[post-auth]: calling cache (rlm_cache) for request 7
Tue Feb 24 16:32:57 2015 : Debug: %{User-Name}%{outer.request:Calling-Station-Id}
Tue Feb 24 16:32:57 2015 : Debug: Parsed xlat tree:
Tue Feb 24 16:32:57 2015 : Debug: attribute --> User-Name
Tue Feb 24 16:32:57 2015 : Debug: attribute --> Calling-Station-Id
Tue Feb 24 16:32:57 2015 : Debug: (7) cache: EXPAND %{User-Name}%{outer.request:Calling-Station-Id}
Tue Feb 24 16:32:57 2015 : Debug: (7) cache:    --> andyresd022be6e8229
Tue Feb 24 16:32:57 2015 : Debug: (7) cache: Mutex acquired
Tue Feb 24 16:32:57 2015 : Debug: (7) cache: No cache entry found for "andyresd022be6e8229"
Tue Feb 24 16:32:57 2015 : Debug: (7) cache: Creating new cache entry
Tue Feb 24 16:32:57 2015 : Debug: %{control:NT-Password}
Tue Feb 24 16:32:57 2015 : Debug: Parsed xlat tree:
Tue Feb 24 16:32:57 2015 : Debug: attribute --> NT-Password
Tue Feb 24 16:32:57 2015 : Debug: (7) cache: EXPAND %{control:NT-Password}
Tue Feb 24 16:32:57 2015 : Debug: (7) cache:    --> 0x927b45aa1c222ebeaad483703f11c465
Tue Feb 24 16:32:57 2015 : Debug: (7) cache:   control:NT-Password := 0x927b45aa1c222ebeaad483703f11c465
Tue Feb 24 16:32:57 2015 : Debug: (7) cache: Merging cache entry into request
Tue Feb 24 16:32:57 2015 : Debug: (7) cache:   &control:NT-Password := 0x927b45aa1c222ebeaad483703f11c465
Tue Feb 24 16:32:57 2015 : Debug: (7) cache: ::: FROM 1 TO 6 MAX 7
Tue Feb 24 16:32:57 2015 : Debug: (7) cache: ::: Examining NT-Password
Tue Feb 24 16:32:57 2015 : Debug: (7) cache: ::: OVERWRITING NT-Password FROM 0 TO 4
Tue Feb 24 16:32:57 2015 : Debug: (7) cache: ::: TO in 6 out 6
Tue Feb 24 16:32:57 2015 : Debug: (7) cache: ::: to[0] = Proxy-To-Realm
Tue Feb 24 16:32:57 2015 : Debug: (7) cache: ::: to[1] = Ldap-UserDn
Tue Feb 24 16:32:57 2015 : Debug: (7) cache: ::: to[2] = Cleartext-Password
Tue Feb 24 16:32:57 2015 : Debug: (7) cache: ::: to[3] = Auth-Type
Tue Feb 24 16:32:57 2015 : Debug: (7) cache: ::: to[4] = NT-Password
Tue Feb 24 16:32:57 2015 : Debug: (7) cache: ::: to[5] = LM-Password
Tue Feb 24 16:32:57 2015 : Debug: (7) cache: Commited entry, TTL 86400 seconds
Tue Feb 24 16:32:57 2015 : Debug: (7) cache: Mutex released
Tue Feb 24 16:32:57 2015 : Debug: (7)       modsingle[post-auth]: returned from cache (rlm_cache) for request 7
Tue Feb 24 16:32:57 2015 : Debug: (7)       [cache] = updated
Tue Feb 24 16:32:57 2015 : Debug: (7)     } # post-auth = updated
Tue Feb 24 16:32:57 2015 : Debug: (7) } # server inner-tunnel

This is for an EAP-PEAP Session:

Tue Feb 24 16:34:57 2015 : Debug: (8)       modsingle[post-auth]: calling cache (rlm_cache) for request 8
Tue Feb 24 16:34:57 2015 : Debug: %{User-Name}%{outer.request:Calling-Station-Id}
Tue Feb 24 16:34:57 2015 : Debug: Parsed xlat tree:
Tue Feb 24 16:34:57 2015 : Debug: attribute --> User-Name
Tue Feb 24 16:34:57 2015 : Debug: attribute --> Calling-Station-Id
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: EXPAND %{User-Name}%{outer.request:Calling-Station-Id}
Tue Feb 24 16:34:57 2015 : Debug: (8) cache:    --> qaresdonE8-99-C4-72-33-D8
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: Mutex acquired
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: No cache entry found for "qaresdonE8-99-C4-72-33-D8"
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: Creating new cache entry
Tue Feb 24 16:34:57 2015 : Debug: %{control:NT-Password}
Tue Feb 24 16:34:57 2015 : Debug: Parsed xlat tree:
Tue Feb 24 16:34:57 2015 : Debug: attribute --> NT-Password
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: EXPAND %{control:NT-Password}
Tue Feb 24 16:34:57 2015 : Debug: (8) cache:    -->
Tue Feb 24 16:34:57 2015 : Debug: (8) cache:   control:NT-Password := 0x
Tue Feb 24 16:34:57 2015 : Debug: %{control:LM-Password}
Tue Feb 24 16:34:57 2015 : Debug: Parsed xlat tree:
Tue Feb 24 16:34:57 2015 : Debug: attribute --> LM-Password
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: EXPAND %{control:LM-Password}
Tue Feb 24 16:34:57 2015 : Debug: (8) cache:    -->
Tue Feb 24 16:34:57 2015 : Debug: (8) cache:   control:LM-Password := 0x
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: Merging cache entry into request
Tue Feb 24 16:34:57 2015 : Debug: (8) cache:   &control:NT-Password := 0x
Tue Feb 24 16:34:57 2015 : Debug: (8) cache:   &control:LM-Password := 0x
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: ::: FROM 2 TO 4 MAX 6
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: ::: Examining NT-Password
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: ::: APPENDING NT-Password FROM 0 TO 4
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: ::: Examining LM-Password
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: ::: APPENDING LM-Password FROM 1 TO 5
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: ::: TO in 4 out 6
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: ::: to[0] = Proxy-To-Realm
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: ::: to[1] = Auth-Type
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: ::: to[2] = Ldap-UserDn
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: ::: to[3] = Cleartext-Password
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: ::: to[4] = NT-Password
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: ::: to[5] = LM-Password
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: Commited entry, TTL 86400 seconds
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: Mutex released


________________________________

CONFIDENTIALITY NOTICE: This e-mail may contain information that is privileged, confidential or otherwise protected from disclosure. **If you are not the intended recipient of this e-mail, please notify the sender immediately by return e-mail, purge it and do not disseminate or copy it.

More information about the Freeradius-Users mailing list