EAP-GTC and cache_auth
Alan DeKok
aland at deployingradius.com
Mon Sep 12 19:15:25 UTC 2022
On Sep 12, 2022, at 1:48 PM, Grosjean Cyril <cygrosjean+freeradius at gmail.com> wrote:
> I’m using LDAP as bind from User so I can’t cache the Cleartext-Password.
That does make things more problematic.
> I’m not trying to cache the EAP-GTC but the result of authentication
> against LDAP with a hash of User-Name/User-Password after “Bind as User”
> method.
I'm not sure how you cache the "result of authentication". The LDAP "bind as user" just checks a password against LDAP.
If that works for EAP-GTC, then the server has extracted the password, for use in the "auth-type PAP" section. So... just cache the User-Password there.
> As said before, I’m trying to cache auth (as documented on the Google
> Secure LDAP setup, with an other LDAP).
> I have already cached User-DN (which helped me remove one LDAP search), but
> I want to be able to remove as much LDAP bind as possible.
>
> It is clear that on v3.2 it said that it’s only compatible with PAP (it is
> working with PAP flawlessly on my setup).
> But not with EAP-GTC as the User-Password is “converted” from GTC to PAP on
> the "authenticate" part and not the “authorize" part.
So?
Auth-Type pap {
pap
if (EAP-Message && User-Password) {
// cache User-Password
}
}
That will work.
> The LDAP setup I’m facing is very complicated (lot of latencies), I may
> suffer hard rate-limit and it isn't possible to “fix it" from my PoV.
I really dislike databases which aren't available. It's a terrible design.
Alan DeKok.
More information about the Freeradius-Users
mailing list