|
Do I then remove ldap from the authorize section so that it doesn't call it every packet? I did a bunch of testing and it seems that I have to do that to reduce the number of calls to our eDirectory servers.
Thanks for helping me out.
Nathan
Nathan P. Hay Network Engineer Computer Services Cedarville University www.cedarville.edu >>> Phil Mayers <p.mayers@imperial.ac.uk> 10/31/2007 9:12 AM >>> On Wed, 2007-10-31 at 08:59 -0400, Nathan Hay wrote: > I have FreeRadius 1.1.7 installed and talking to our eDirectory > servers via LDAP to authenticate users to our wireless network. It > works great, but our eDirectory servers get hit with 11 requests each > time a single client authenticates. Running FreeRadius in debug mode, > I see 10 requests of the format "Access-Request packet from host > 10.0.0.1" and then "Sending Access-Challenge of id 0 to 10.0.0.1 port > 1082". Then I see a single final request of the format > "Access-Request packet from host 10.0.0.1" and then "Sending > Access-Accept of id 0 to 10.0.0.1 port 1082". Each one of these 11 ! > requests performs a check of the user on our eDirectory servers, hence > the 11 hits each time a single client authenticates. > > Is this normal or do I need to fix something? I'd be glad to send the > entire debug capture and my config if this is not normal. EAP sessions typically cover tens of request/challenge packets. You have configured to server to run the LDAP lookups on each packet, as opposed to just once. The easiest thing is to do this: authorize { preprocess ...etc... eap ...etc... Autz-Type INNER { ldap } } ...and in the "users" file: DEFAULTFreeradius-Proxied-To == 127.0.0.1, Autz-Type := INNER This will match the "inner" packets of the EAP session, and tell the server to run the Autz-Type sub-block of authorize (containing LDAP) You may still see 2 lookups, since there may ! be a request/challenge and request/accept inside the EAP tunnel, bu t it's better than 11. Getting down to 1 lookup requires FreeRadius 2.0 (not currently released) > > Thanks for your help, > > Nathan > > > > > > > > > Nathan P. Hay > Network Engineer > Computer Services > Cedarville University > www.cedarville.edu > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |