Cache One Time Password OTP

Gardner, Mark mark.gardner at
Sat Mar 14 03:52:12 CET 2015

On 2/25/15, 4:08 PM, "Arran Cudbard-Bell" <a.cudbardb at>

>> The ThinLinc documentation
>>states in its requirements.
>> "
>> An OTP server which accepts the OTP twice. This is due to the ThinLinc
>>architecture: The client first contacts the master machine, and then the
>>agent host. The NordicEdge One Time Password Server has built-in support
>>for ThinLinc. When using RSA SecurID, we recommend using the
>>Steel-Belted Radius server as a "Token Caching Server".
>> "
>> I don't want to setup Steel-Belted Radius, or RADIATOR.  I'd rather use
>>freeradius.   I found something in the archives that I belive is exactly
>>what I need.  I'm just not sure how to go about setting it up.
>> It may be my version of freeradius is too old to use this particular
>>type of caching.  I'm using  freeradius-server  2.1.1-7.18.1  SLES11-SP3
>> Hopefully This clears things up a little.
>Assuming you have an architecture like:
>thinLinc1 -|- FreeRADIUS - LDAP<sasl><yubikey plugin>
>thinLinc2 -|
>Yes you can use rlm_cache to allow the same password to be used within a
>given window without sending it to LDAP. Your version of FreeRADIUS does
>not support caching. It is very old. You can upgrade to 2.2.6 which
>should be config compatible, and does support caching.
>You'll have to be careful when defining your policy to only allow
>duplicate auths from servers within the same cluster, else you'll break
>the replay protection.

SO I¹ve installed a newer version of freeradius with the rlm_cache module.
 I¹ve configured it like the Feb2013 email above.  However a curious
problem.   If I use radtest and submit two bad passwords one after
another.  The first fails with a Reject; the second passes with Accept. 

More information about the Freeradius-Users mailing list