Re: freeradius-proxy with Rlm_cache

Wed, 20 Feb 2013 04:52:30 -0800 

On 20/02/13 08:38, Dominique Frise wrote:

Hi,

We would like to configure a freeradius proxy-server v. 2.2.0 under
RHEL6 with users caching.

The scenario we would like to achieve is the following:

1. client sends username/OTP to freeradius-proxy that relays to central
radius server.
Central radius server accepts and replies to freeradius-proxy that
relays to client.

2. client sends same username/OTP within TTL to freeradius-proxy that
accepts and replies to client.

This should be possible using Rlm_cache module but we did not find a
proper how-to for configuring this.
Can you show a debug ("radiusd -X") of an auth request? This will make it more obvious what attributes you need to have as key/value.
Also, this will probably only work if your OTP is simple PAP-like i.e. request/accept. It probably won't work if Access-Challenge or any challenge/response is involved. 

But, for example, if your request looked like this:

User-Name = foo
User-Password = bar
OTP-Password = 123456

...then you'd want an rlm_cache config like this:

cache otpcache {
  # note - we need to escape the key values
  # otherwise the client can perform injection/overlap
  # attacks by modifying their username
key = "%{urlquote:%{User-Name}}/%{urlquote:%{User-Password}}/%{urlquote:%{OTP-Password}}" 
  ttl = 60
}

...and then:

authorize {
  # first, just check the cache, don't
  # create entries or set reply attrs
  update control {
    Cache-Status-Only = yes
  }
  otpcache

  # future cache lookups here, and in post-auth,
  # should be normal ones
  update control {
    Cache-Status-Only !* ANY
  }

  if (ok) {
    # entry found in cache; set auth type to accept
    # and call cache again to get reply attrs
    update control {
      Auth-Type := Accept
    }
    otpcache
    ok
  }

  ...
}
post-auth {
  # first, delete any existing cache entries
  update control {
    Cache-TTL = 0
  }
  otpcache

  # clear that variable
  update control {
    Cache-TTL !* ANY
  }

  # now cache the reply
  otpcache
}
It's a bit awkward TBH; I kind of wish modules could have "named methods" e.g. "cache.{check,get,set,expire}" but you can wrap it all in a policy.conf if you want readability. 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to