rlm_cache NT-Password with EAP-PEAP

Sherker, Donald Donald.Sherker at mybrighthouse.com
Fri Feb 27 17:57:43 CET 2015

>> We are trying to setup a freeradius 3.0.7 server that uses
>> EAP-PEAP and EAP-TTLS, both with MSCHAPv2.  This server reads a
>> users Cleartext-Password from an ldap server.  In order to
>> minimize the calls to the ldap server we are trying to use
>> rlm_cache to cache the NT-Password and LM-Password so that when
>> a user logs in after the initial log in freeradius does not need
>> to query the ldap server.
>Surely that means that when the password is changed the RADIUS
>server doesn't notice immediately?

We are only caching the entry for a couple hours.  So yes there could be instances of the cache in radius not being synchronized with ldap.

>> This works with EAP-TTLS, but it does
>> not work with EAP-PEAP.  The NT-Password and LM-Password do not
>> seem to be available to the caching module with EAP-PEAP.
>My guess: EAP-TTLS tunnels standard mschap internally, so hits the
>mschap module. Using PEAP, you're actually doing PEAP/EAP-MSCHAPv2
>(an EAP type), so the eap module calls mschap behind the scenes,
>and the mschap call in your config isn't used. So by the time you
>call cache/ldap/mschap, mschap has already been called and done
>its stuff.
>I'd first try moving eap, as per below, but I've not tested this.
>> sites-enabled/inner-tunnel:
>> authorize {
>>         update control {
>>                 Cache-Status-Only = 'yes'
>>         }
>>         cache
>>         if (notfound) {
>>                 ldap
>>         }
>>         else {
>>                 cache
>>         }
>>         eap {
>>                 ok = return
>>         }
>>         mschap
>> }

I have made this change, but the behavior is still the same.

>Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>Systems Specialist, Infrastructure Services,
>I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


CONFIDENTIALITY NOTICE: This e-mail may contain information that is privileged, confidential or otherwise protected from disclosure. **If you are not the intended recipient of this e-mail, please notify the sender immediately by return e-mail, purge it and do not disseminate or copy it.

More information about the Freeradius-Users mailing list