rlm_cache NT-Password with EAP-PEAP

Sherker, Donald Donald.Sherker at mybrighthouse.com
Fri Feb 27 18:34:20 CET 2015


>>> We are trying to setup a freeradius 3.0.7 server that uses
>>>> EAP-PEAP and EAP-TTLS, both with MSCHAPv2.  This server reads a
>>>> users Cleartext-Password from an ldap server.  In order to
>>>> minimize the calls to the ldap server we are trying to use
>>>> rlm_cache to cache the NT-Password and LM-Password so that when
>>>> a user logs in after the initial log in freeradius does not need
>>>> to query the ldap server.
>>>
>>> Surely that means that when the password is changed the RADIUS
>>> server doesn't notice immediately?
>>
>> We are only caching the entry for a couple hours.  So yes there could be instances of the cache in radius not being >synchronized with ldap.
>
>If it's OpenLDAP use syncrepl to replicate to a local instance. Though honestly unless you really did something to >break OpenLDAP it will be able to cope with the load. Switch to LMDB if you're not using it already.
>
>If it's AD you don't have access to the NT-Password anyway...
>
>If it's Novell you have access to the plaintext password, and I guess, yes, there you might want to cache it.
>

We are using Novell eDirectory

>>
>> I have made this change, but the behavior is still the same.
>
>Key's different?
>
>Tue Feb 24 16:32:57 2015 : Debug: (7) cache: No cache entry found for "andyresd022be6e8229"
>Tue Feb 24 16:34:57 2015 : Debug: (8) cache: No cache entry found for "qaresdonE8-99-C4-72-33-D8"
>

We are using the username and client mac address for the key.  One of the entries was my device and the other was a coworker with a different device.  I can duplicate this with my device by changing between PEAP and TTLS.

>Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>FreeRADIUS development team
>
>FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2


________________________________

CONFIDENTIALITY NOTICE: This e-mail may contain information that is privileged, confidential or otherwise protected from disclosure. **If you are not the intended recipient of this e-mail, please notify the sender immediately by return e-mail, purge it and do not disseminate or copy it.



More information about the Freeradius-Users mailing list