rlm_cache NT-Password with EAP-PEAP
Matthew Newton
mcn4 at leicester.ac.uk
Fri Feb 27 17:22:29 CET 2015
On Fri, Feb 27, 2015 at 04:04:04PM +0000, Sherker, Donald wrote:
> We are trying to setup a freeradius 3.0.7 server that uses
> EAP-PEAP and EAP-TTLS, both with MSCHAPv2. This server reads a
> users Cleartext-Password from an ldap server. In order to
> minimize the calls to the ldap server we are trying to use
> rlm_cache to cache the NT-Password and LM-Password so that when
> a user logs in after the initial log in freeradius does not need
> to query the ldap server.
Surely that means that when the password is changed the RADIUS
server doesn't notice immediately?
> This works with EAP-TTLS, but it does
> not work with EAP-PEAP. The NT-Password and LM-Password do not
> seem to be available to the caching module with EAP-PEAP.
My guess: EAP-TTLS tunnels standard mschap internally, so hits the
mschap module. Using PEAP, you're actually doing PEAP/EAP-MSCHAPv2
(an EAP type), so the eap module calls mschap behind the scenes,
and the mschap call in your config isn't used. So by the time you
call cache/ldap/mschap, mschap has already been called and done
its stuff.
I'd first try moving eap, as per below, but I've not tested this.
Matthew
> sites-enabled/inner-tunnel:
>
> authorize {
> update control {
> Cache-Status-Only = 'yes'
> }
> cache
> if (notfound) {
> ldap
> }
> else {
> cache
> }
> eap {
> ok = return
> }
> mschap
> }
>
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list