rlm_cache NT-Password with EAP-PEAP

Matthew Newton mcn4 at leicester.ac.uk
Fri Feb 27 17:22:29 CET 2015

On Fri, Feb 27, 2015 at 04:04:04PM +0000, Sherker, Donald wrote:
> We are trying to setup a freeradius 3.0.7 server that uses
> EAP-PEAP and EAP-TTLS, both with MSCHAPv2.  This server reads a
> users Cleartext-Password from an ldap server.  In order to
> minimize the calls to the ldap server we are trying to use
> rlm_cache to cache the NT-Password and LM-Password so that when
> a user logs in after the initial log in freeradius does not need
> to query the ldap server.

Surely that means that when the password is changed the RADIUS
server doesn't notice immediately?

> This works with EAP-TTLS, but it does
> not work with EAP-PEAP.  The NT-Password and LM-Password do not
> seem to be available to the caching module with EAP-PEAP.

My guess: EAP-TTLS tunnels standard mschap internally, so hits the
mschap module. Using PEAP, you're actually doing PEAP/EAP-MSCHAPv2
(an EAP type), so the eap module calls mschap behind the scenes,
and the mschap call in your config isn't used. So by the time you
call cache/ldap/mschap, mschap has already been called and done
its stuff.

I'd first try moving eap, as per below, but I've not tested this.


> sites-enabled/inner-tunnel:
> authorize {
>         update control {
>                 Cache-Status-Only = 'yes'
>         }
>         cache
>         if (notfound) {
>                 ldap
>         }
>         else {
>                 cache
>         }
>         eap {
>                 ok = return
>         }
>         mschap
> }

Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list