rlm_cache NT-Password with EAP-PEAP

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Feb 27 18:22:47 CET 2015


> On 27 Feb 2015, at 11:57, Sherker, Donald <Donald.Sherker at mybrighthouse.com> wrote:
> 
>>> We are trying to setup a freeradius 3.0.7 server that uses
>>> EAP-PEAP and EAP-TTLS, both with MSCHAPv2.  This server reads a
>>> users Cleartext-Password from an ldap server.  In order to
>>> minimize the calls to the ldap server we are trying to use
>>> rlm_cache to cache the NT-Password and LM-Password so that when
>>> a user logs in after the initial log in freeradius does not need
>>> to query the ldap server.
>> 
>> Surely that means that when the password is changed the RADIUS
>> server doesn't notice immediately?
> 
> We are only caching the entry for a couple hours.  So yes there could be instances of the cache in radius not being synchronized with ldap.

If it's OpenLDAP use syncrepl to replicate to a local instance. Though honestly unless you really did something to break OpenLDAP it will be able to cope with the load. Switch to LMDB if you're not using it already.

If it's AD you don't have access to the NT-Password anyway...

If it's Novell you have access to the plaintext password, and I guess, yes, there you might want to cache it.

> 
> I have made this change, but the behavior is still the same.

Key's different?

Tue Feb 24 16:32:57 2015 : Debug: (7) cache: No cache entry found for "andyresd022be6e8229"
Tue Feb 24 16:34:57 2015 : Debug: (8) cache: No cache entry found for "qaresdonE8-99-C4-72-33-D8"

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150227/8bfd1b29/attachment.sig>


More information about the Freeradius-Users mailing list