Cache One Time Password OTP
Gardner, Mark
mark.gardner at kc.frb.org
Mon Mar 16 19:11:05 CET 2015
>On Mar 13, 2015, at 10:52 PM, Gardner, Mark <mark.gardner at kc.frb.org>
>wrote:
>> SO I¹ve installed a newer version of freeradius with the rlm_cache
>>module.
>> I¹ve configured it like the Feb2013 email above. However a curious
>> problem. If I use radtest and submit two bad passwords one after
>> another. The first fails with a Reject; the second passes with Accept.
>
> So… there’s debug output you can read, right?
>
So I mucked around with it some more and I think I have it figured out.
Here is my default site.
cat sites-enabled/default | egrep -v "(#.*|^$)"
authorize {
preprocess
eap {
ok = return
}
ldap
cache
if (ok) {
update control {
Auth-Type := Accept
Cache-Status-Only !* ANY
Cache-TTL = 0
}
ok
}
else {
update control {
Cache-Status-Only !* ANY
}
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
ldap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
update control {
Cache-TTL = 0
}
cache
update control {
Cache-TTL !* ANY
}
}
cache
}
pre-proxy {
}
post-proxy {
eap
}
This is just for pam_radius_auth for other linux boxes. The only
situation I have is that I may want to resolve is. If the second request
(within the TTL of 10 seconds) has a different/bad password, it will still
ACCPET and not REJECT. Mostly because I don’t see it cacheing the
password.
More information about the Freeradius-Users
mailing list