Can we do sql just once during eap-tls handshake

Johan F2 johan.finnved at stek.se
Thu Mar 5 10:49:03 CET 2009


We are using eap-tls for authetication assisted with a database for filling
in some attributes.

FreeRADIUS Version 2.1.3 with minimal configuration will do a sql lookup for
each round.
(Four selects: radcheck, radusergroup, radgroupcheck and radgroupreply).
There are 6-9 rounds depending on certificate chain sizes.

Obviously performance would be better with only one database lookup.

Part of the (attempted) configuration:
	authorize {
		preprocess

		eap
		if (I have tried some conditions here) {
			sql
				if (notfound) {
					fail
			}
		}
	}

	authenticate {
 		eap
	}

Is there som nice condition that will result in only one lookup in the
database?
A thing that complicates thing is that TLS (that declares Success I beleive)
is run during
authenticate which is later the the attempted database lookup.

The TLS outcome is pretty well known in the second last round:
There are logs saying

[tls]     (other): SSL negotiation finished successfully 
SSL Connection Established 

but there is still one Access-Challange.
So if this fact could be tested in the last round that test would be a nice
candidate for
doing the sql update.

As an aside: Is there a way to really inspect the client certificate
(preferrably the entire chain)
and let it affect some logic (in perl as an example)?
-- 
View this message in context: http://www.nabble.com/Can-we-do-sql-just-once-during-eap-tls-handshake-tp22335348p22335348.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.




More information about the Freeradius-Users mailing list