[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: rlm_cache and ntlm_auth
From:       John Douglass <john.douglass () oit ! gatech ! edu>
Date:       2013-11-25 14:46:35
Message-ID: 529362CB.7020301 () oit ! gatech ! edu
[Download RAW message or body]

Jonathan,

I have had some success on our servers with the EAP caching available in 
the eap.conf file within the tls {} block. It does take some additional 
work to save/restore attributes from the cache, but it's been successful 
for me for _some_ subset of authentications in not having to go all the 
way to AD during the cache time.

It's going to totally depend upon client behavior/capabilities.

- JohnD



On 11/25/2013 08:15 AM, Arran Cudbard-Bell wrote:
> On 25 Nov 2013, at 12:26, Jonathan Gazeley <jonathan.gazeley@bristol.ac.uk> wrote:
> 
> > Probably a simple question, but I've Googled it and I can't find the answer.
> > 
> > Is it possible to wrap an ntlm_auth backend in rlm_cache? Our active directory is \
> > frequently quite slow. If we were able to grab at least some of these \
> > authentications from the cache I think it would help a lot. 
> > I don't know exactly what data is returned from NTLM, is it cacheable or does it \
> > have to be fresh each time? By the fact that I haven't found any mention of \
> > anyone doing this, I suspect it's probably not possible. 
> For PAP yes, for MSCHAPv2 no (challenge/response).
> 
> -Arran
> 
> Arran Cudbard-Bell <a.cudbardb@freeradius.org>
> FreeRADIUS Development Team
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]