Cisco WLC PEAP/MSCHAPv2 - unnecessary ldap lookups?
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Thu Jun 18 10:23:26 CEST 2009
Hi,
> I have a functional question about freeradius and the ldap lookups. We currently run cisco wlc440x with WPA2-AES-PEAP-MSCHAPv2 against freeradius, and it is taking a while to authenticate - roughly 35 seconds. It seems most of this is being chewed up by our slow ldap lookups (about 4-6 seconds each, this is an ldap server issue), in combination with the number of ldap lookups freeradius does per session (5-6). Is it normal for the freeradius server to perform this many ldap lookups, or do I have a configuration error? It seems like it does ldap calls each time it receives an access-request from an access-challenge. I've played with the controller auth timeouts, it doesn't seem to make a difference. Here is the debug output from a single session:
what version of freeradius are you running and what are you using LDAP for?
I now have a single lookup with my FR 2.x configuration because I am using
the inner-tunnel method and only use it for authentication rather than
authorization etc.
in 2.x:
basically, if you are using eg EAP then you dont really care about the
outer stuff at all - so prune all the bits out and ensure that the
inner-tunnel virtual server is called for EAP methods with immediate ok = return
for the function (ensure EAP is above other methods if you still have
them enabled!) this is pretty much the default config for current 2.1.x release(!)
there are ways (nasty ways) of getting similar behaviour under 1.x but
the flow isnt pretty and you have to be very careful with the exact order
of everything
alan
More information about the Freeradius-Users
mailing list