rlm_cache NT-Password with EAP-PEAP
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Fri Feb 27 18:51:32 CET 2015
> On 27 Feb 2015, at 12:34, Sherker, Donald <Donald.Sherker at mybrighthouse.com> wrote:
>
>>>> We are trying to setup a freeradius 3.0.7 server that uses
>>>>> EAP-PEAP and EAP-TTLS, both with MSCHAPv2. This server reads a
>>>>> users Cleartext-Password from an ldap server. In order to
>>>>> minimize the calls to the ldap server we are trying to use
>>>>> rlm_cache to cache the NT-Password and LM-Password so that when
>>>>> a user logs in after the initial log in freeradius does not need
>>>>> to query the ldap server.
>>>>
>>>> Surely that means that when the password is changed the RADIUS
>>>> server doesn't notice immediately?
>>>
>>> We are only caching the entry for a couple hours. So yes there could be instances of the cache in radius not being >synchronized with ldap.
>>
>> If it's OpenLDAP use syncrepl to replicate to a local instance. Though honestly unless you really did something to >break OpenLDAP it will be able to cope with the load. Switch to LMDB if you're not using it already.
>>
>> If it's AD you don't have access to the NT-Password anyway...
>>
>> If it's Novell you have access to the plaintext password, and I guess, yes, there you might want to cache it.
>>
>
> We are using Novell eDirectory
>
>>>
>>> I have made this change, but the behavior is still the same.
>>
>> Key's different?
>>
>> Tue Feb 24 16:32:57 2015 : Debug: (7) cache: No cache entry found for "andyresd022be6e8229"
>> Tue Feb 24 16:34:57 2015 : Debug: (8) cache: No cache entry found for "qaresdonE8-99-C4-72-33-D8"
>>
>
> We are using the username and client mac address for the key. One of the entries was my device and the other was a coworker with a different device. I can duplicate this with my device by changing between PEAP and TTLS.
Then the debug output you provided is useless?
You need to show two attempts with the same user, so we can see what's happening on the second attempt.
Also, it's PEAP, why not just enable Session-Resumption?
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150227/0ea4ed8f/attachment.sig>
More information about the Freeradius-Users
mailing list