cache entry time

Eric Lin pirate585 at gmail.com
Thu Apr 4 15:48:16 UTC 2024 

Hi

The freeradius is used as radius proxy to proxy radius auth request to
backend NPS server for MFA.

The scenario we would like to achieve is the following:
1. client sends username/OTP to freeradius-proxy that relays to NPS
server. NPS server accepts and replies to freeradius-proxy that relays
to the client.

2. client sends same username/OTP within TTL to freeradius-proxy that
accepts and replies to client.

with the following config, I can make the scenario work, but I notice
the cache entry TTL is timed when radius client sends radius auth
request, not the time when user finishes OTP response. For example,
user logins at 9:05:12AM and finish OTP/MFA at 9:05:34AM. The cache
TTL is timed at 9:05:12AM. Which config should be adjusted to make the
cache time correct?

Regards,
Eric

### customization
cache otpcache {
        # note - we need to escape the key values
        # otherwise the client can perform injection/overlap
        # attacks by modifying their username
        driver = "rlm_cache_rbtree"
        key = "%{sha256:%{User-Name}}/%{sha256:%{User-Password}}/%{sha256:%{MS-Machine-Name}}/%{sha256:%{Calling-Station-Id}}"
        ttl = 120
        update {
                # <list>:<attribute> <op> <value>

                # Cache all instances of Reply-Message in the reply list
                &reply:Reply-Message += &reply:Reply-Message[*]

                # Add our own to show when the cache was last updated
                &reply:Reply-Message += "Cache last updated at %t"
        }
}
### end of customization


authorize {
        ### customization
        # first, just check the cache, don't
        # create entries or set reply attrs
        update control {
                Cache-Status-Only = yes
        }
        otpcache

        if (ok) {
        # entry found in cache; set auth type to accept
        # and call cache again to get reply attrs
                update control {
                        Cache-Status-Only !* ANY
                }
                accept
                otpcache
                ok
        }
        else {
        # future cache lookups here, and in post-auth,
        # should be normal ones
                update control {
                        Cache-Status-Only !* ANY
                }
        }
        ### end of customization
}


post-auth {
        ### customization
        if (control:Auth-Type == Accept) {
                # first, delete any existing cache entries
                update control {
                        Cache-TTL = 0
                }

                # clear that variable
                update control {
                        Cache-TTL !* ANY
                }

                # now cache the reply
                otpcache
        }
        ### end of customization
}

More information about the Freeradius-Users mailing list