EAP-GTC and cache_auth

[Grosjean Cyril]

 Hello Alan,

On 12 Sep 2022 at 19:27:02, Alan DeKok <aland at deployingradius.com> wrote:

> On Sep 12, 2022, at 6:33 AM, Grosjean Cyril <
> cygrosjean+freeradius at gmail.com> wrote:
>
> I’m searching a way to cache authentification with EAP-GTC as a EAP phase
> 2.
>
> It is currently very easy with PAP (as I have the User-Password in the
>
> authenticate part) but I can’t succeed to find a way to cache it with
>
> EAP-GTC.
>
>
>  You don't cache what the user entered, i.e. User-Password or EAP-GTC.
> You cache the Cleartext-Password attribute which you received from the
> database.
>

I’m using LDAP as bind from User so I can’t cache the Cleartext-Password.


>  And why are you trying to cache EAP-GTC anyways?  Does the database
> disappear from time to time? If so, fix the database.
>

I’m not trying to cache the EAP-GTC but the result of authentication
against LDAP with a hash of User-Name/User-Password after “Bind as User”
method.


> Do I miss an attribute that would help me to cache an Access-Accept in that
>
> way ?
>
>
>  You can't cache an Access-Accept for EAP.  It doesn't work, and it's
> *always* the wrong thing to do.
>

As said before, I’m trying to cache auth (as documented on the Google
Secure LDAP setup, with an other LDAP).
I have already cached User-DN (which helped me remove one LDAP search), but
I want to be able to remove as much LDAP bind as possible.

It is clear that on v3.2 it said that it’s only compatible with PAP (it is
working with PAP flawlessly on my setup).
But not with EAP-GTC as the User-Password is “converted” from GTC to PAP on
the "authenticate" part and not the “authorize" part.

The LDAP setup I’m facing is very complicated (lot of latencies), I may
suffer hard rate-limit and it isn't possible to “fix it" from my PoV.


>  Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

Cyril Grosjean