Question about outer identity
Alan DeKok
aland at deployingradius.com
Thu Jul 30 13:08:55 CEST 2009
Martin Pauly wrote:
> I have 2.1.6 and things basically work. But I just came across a
> question about the processing of outer/inner identity:
>
> As I understand it, in case of a non-EAP RADIUS request (eg from my old
> modem servers), there is no tunnel and hence no inner identity.
> ==> Autz and Auth are done by the default virtual server and governed by
> the settings in radiusd.conf and sites-available/default -- right?
Yes.
> In case of an EAP request (we do EAP-TTLS and PEAP-MSCHAPv2), the outer
> identity is simply used as a dummy during Tunnel setup
> (Our EAP Clients use anonymous at uni-marburg.de as outer identity).
Yes.
> Nonetheless, freeradius does an LDAP request during Authorization
> which, of course, fails with 'notfound'.
Because that's what you configured...
> freeradius then happily
> proceeds to do the real authentication with inner-tunnel.
> Now I wonder how to avoid that extra LDAP query.
$ man unlang
There's an entire policy language to define rules.
Replace the "ldap123" line in the "authorize" seciton with:
if (!EAP-Message) {
ldap123
}
Alan DeKok.
More information about the Freeradius-Users
mailing list