Number of LDAP/SQL queries in inner-tunnel

Phil Mayers p.mayers at imperial.ac.uk
Thu Jun 23 19:24:41 CEST 2011 

On 23/06/11 17:29, Alan DeKok wrote:
> Phil Mayers wrote:
>> Also in discussions on JANET-ROAMING, it seems people are seeing 3
>> queries to their LDAP servers in inner-tunnel. I believe this is
>> because, with PEAP/MSCHAP, there are 3 passes through the inner tunnel:
>>
>>   * EAP identity ->  Access-Challenge with EAP-MSCHAP challenge
>>   * EAP-MSCHAP response packet ->  Access-Challenge with EAP success
>>   * EAP success ->  Access-Accept
>
>    Oops.

I have found a vile solution:

raddb/policy.conf:

policy {
   eap_inner {
     eap {
       updated = 1
     }
     # stop processing authorize on eap identity or mschap success/fail
     if ((EAP-Type == 1) || (EAP-Message =~ /^0x02..00061a..$/)) {
       noop
     }
   }
}

raddb/sites-enabled/*-tunnel:

authorize {
   eap_inner
   if (updated) {
     ldap
     sql
     other_query
   }
}

;o)

This would actually be quite clean if you could write:

policy {
   blah {
   }
}

authorize {
   blah {
     ok = return
   }
}

...but it seems that's not supported.

>
>> ...can be used to stop processing, but that's specific to the PEAP/TTLS
>> EAP types; the EAP module just returns "updated" for EAP-Identity and
>> EAP-Success packets.
>>
>> Should rlm_eap return "ok" (or something) in authorize if the packet is
>> an EAP-Identity, NAK, Success or Failure packets? Or maybe "handled"
>> (although that's riskier, since the user can't opt out of it).
>
>    Maybe "ok" is better.
>
>> This would allow you to do:
>>
>> server inner-tunnel {
>>   authorize {
>>    eap {
>>      ok = return
>>    }
>>    ldap
>>   }
>> }
>>
>> Obviously you need to run SQL/LDAP for inner-eap method "response"
>> packets to read Cleartext-Password / NT-Password in time for the
>> authenticate {} section.
>
>    Sounds good to me.


>
>    Patch? :)

It's untested because I have to dash, but the attached should do it. 
I'll compile it up and test tomorrow.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: eap-ok.patch
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20110623/4fe8f84e/attachment.ksh>

More information about the Freeradius-Devel mailing list