LDAP Groups and EAP

Hi all:

     I am running Freeradius 1.1.0 and am trying to get Ldap-Groups to work with EAP/PEAP/MSCHAPv2, but have been running into issues.  I'm trying to permit authentication to a wireless SSID based on an LDAP group.  Here is my configuration:

Radiusd.conf:

      authorize{
          preprocess
          auth_log
          files {
             notfound = return
          }
          eap
          redundant-load-balance {
                   ldap1
                   ldap2
          }


        authenticate {
          Auth-Type LDAP {
             redundant-load-balance {
                ldap1
                ldap2
             }
          Auth-Type EAP {
             eap
          }

hints:
          DEFAULT Called-Station-Id =~ ".*:ssid"
                            Called-Station-Id := "ssid"

huntgroups:
          restrict   Called-Station-Id == ssid
          all          NAS-IP-Address == xxx

users:
          DEFAULT   Huntgroup-Name == restrict, Ldap-group == "cn=something,ou=something"
          DEFAULT   Huntgroup-Name == all


    When I try to authenticate, the radius server receives about 7 Access-requests.  Each time it receives one, the Radius server checks the LDAP store to verify that the user exists in the ldap group (is this normal?  can this be reduced? 7 LDAP binds per authentication attempt seems high), and each module returns OK.  On the 6th attempt though, it attempts to decode the EAP tunnel, and this happens:

       rlm_dap::ldap_groupcmp: User found in group cn=something,ou=something
blah blah blah
       Processing the authenticate section
blah blah blah
       rlm_eap_peap: EAPTLS_OK
       rlm_eap_peap: Session established.  Decoding tunneled attributes.
       rlm_eap_peap: Identity - XXX
       rlm_eap_peap: Tunneled data is valid
       PEAP: Got tunneled identity of XXX
       PEAP: Setting default EAP type for tunneled EAP session
       PEAP: Setting User-Name to XXX
       Processing the authorize section
       modcall[authorize]: module "preprocess" returns ok for request 6
blah blah blah
       modcall[authorize]: module "auth_log" returns ok for request 6
       modcall[authorize]: module "files" returns notfound for request 6

       Notice that there is no additional call to ldap_group between the authorize and the resulting failure in the files module.  Since I have set "files { notfound = return}," the user fails to authenticate despite being accepted 5 times previously with ldap_group.  If I remove "notfound = return", the user can authenticate REGARDLESS of the ldap-group I set, even when ldap_group returns notfound.

     Is there something i'm missing in the configuration file?

    

Never miss a thing. Make Yahoo your homepage.
This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.