rlm_cache NT-Password with EAP-PEAP

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Feb 27 21:15:53 CET 2015 

> On 27 Feb 2015, at 14:54, Sherker, Donald <Donald.Sherker at mybrighthouse.com> wrote:
> 
>> Don't list LDAP in the outer server, you only need passwords in the inner server.
> 
> I have removed LDAP from the outer server.  Thank you.
> 
>> and no more calls to cache, so i'm not sure what you were expecting to happen.
>> 
>> For the PEAP request the cache will have been cleared as the server has been restarted. If you want a persistent
>> cache, you need to use the memcached driver and run a memcached server. That won't persist across memcached >restarts though.
>> 
>> For that there'd need to be a new file system based cache driver.
> 
> I understand that the cache will not persist across restarts of the radius server.  The problem that we are having is that NT-Password and LM-Password are not available for caching when EAP-PEAP is used.  What I am showing in the logs is the first time a user connects and what is being cached.

The cache module is being called in a different round to the call to mschap.auth which produced the hashes.

Move your second cache call (the one to store the hashes) to :

Auth-Type MS-CHAP {
	mschap
	cache.authorize
}

Can't remember if ok = return in authenticate.

If you find cache.authorize isn't being called

Auth-Type MS-CHAP {
	mschap {
		ok = 1
	}
	cache.authorize
}

That'll ensure the hashes are stored immediately after being produced.

Again, the cleaner way of doing this is with session-resumption. That way you avoid the many rounds of EAP required to do
PEAP or TTLS.

Ensure you've enabled it in the supplicant, on the server, and post the debug output, we might be able to suggest what's wrong.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150227/4decabc0/attachment.sig>

More information about the Freeradius-Users mailing list