EAP-GTC and cache_auth

Grosjean Cyril cygrosjean+freeradius at gmail.com
Tue Sep 13 18:38:09 UTC 2022


On 12 Sep 2022 at 21:15:25, Alan DeKok <aland at deployingradius.com> wrote:

>  So?
>
> Auth-Type pap {
> pap
> if (EAP-Message && User-Password) {
> // cache User-Password
> }
> }
>
>  That will work.
>

On my setup (again, pretty much the same as “google_ldap_auth” site), I
validate the cache_auth_accept/reject on the authorize part.

I’m using the debug_all module to take into advantage all the step, and I
can see that it is only on the authenticate part that GTC expand the
User-Password part.
If I could expand the “User-Password” variable after the “eap” step in
authorize, it would make my life easier (and compatible with the
“google_ldap_auth” setup)"

—
So, I tried your suggestion that I should try the cache in the authenticate
part, in the Auth-Type associated. I hope I understand you right.

But again, if I’m right, it seems that cache module isn’t usable in the
authenticate part (
https://github.com/FreeRADIUS/freeradius-server/blob/0962a824d7a7bd0c1c8390cab2564b0933a088d8/src/modules/rlm_cache/rlm_cache.c#L830
)
Should I modify my Freeradius to being able to use it in the authenticate
part ?

  authenticate {
    Auth-Type PAP {
      if (EAP-Type == "GTC" && User-Password) {
        update control {
          &Cache-Read-Only := "yes"
        }
        cache_auth_accept
        if (ok) {
          update {
            &control:Auth-Type := Accept
          }
          return
        }
        else {
            ldap
        }
      }
      else {
         ldap
      }
    }

If I want to do that, I need to modify the
src/modules/rlm_cache/rlm_cache.c :

diff --git a/src/modules/rlm_cache/rlm_cache.c
b/src/modules/rlm_cache/rlm_cache.c
index 07fa098f45..9924cc2c8a 100644
--- a/src/modules/rlm_cache/rlm_cache.c
+++ b/src/modules/rlm_cache/rlm_cache.c
@@ -829,6 +829,7 @@ module_t rlm_cache = {
        .detach         = mod_detach,
        .methods = {
                [MOD_AUTHORIZE]         = mod_cache_it,
+               [MOD_AUTHENTICATE]      = mod_cache_it,
                [MOD_PREACCT]           = mod_cache_it,
                [MOD_ACCOUNTING]        = mod_cache_it,
                [MOD_PRE_PROXY]         = mod_cache_it,

After compiling this, it start to work but I have a feeling that it is not
correct on Freeradius model. Am I missing something ?

Cyril Grosjean


More information about the Freeradius-Users mailing list