EAP-GTC and cache_auth

Alan DeKok aland at deployingradius.com
Mon Sep 12 19:15:25 UTC 2022

On Sep 12, 2022, at 1:48 PM, Grosjean Cyril <cygrosjean+freeradius at gmail.com> wrote:
> I’m using LDAP as bind from User so I can’t cache the Cleartext-Password.

  That does make things more problematic.

> I’m not trying to cache the EAP-GTC but the result of authentication
> against LDAP with a hash of User-Name/User-Password after “Bind as User”
> method.

  I'm not sure how you cache the "result of authentication".  The LDAP "bind as user" just checks a password against LDAP.

  If that works for EAP-GTC, then the server has extracted the password, for use in the "auth-type PAP" section.  So... just cache the User-Password there.

> As said before, I’m trying to cache auth (as documented on the Google
> Secure LDAP setup, with an other LDAP).
> I have already cached User-DN (which helped me remove one LDAP search), but
> I want to be able to remove as much LDAP bind as possible.
> It is clear that on v3.2 it said that it’s only compatible with PAP (it is
> working with PAP flawlessly on my setup).
> But not with EAP-GTC as the User-Password is “converted” from GTC to PAP on
> the "authenticate" part and not the “authorize" part.


	Auth-Type pap {
		if (EAP-Message && User-Password) {
			// cache User-Password

  That will work.

> The LDAP setup I’m facing is very complicated (lot of latencies), I may
> suffer hard rate-limit and it isn't possible to “fix it" from my PoV.

  I really dislike databases which aren't available.  It's a terrible design.

  Alan DeKok.

More information about the Freeradius-Users mailing list