Cisco WLC PEAP/MSCHAPv2 - unnecessary ldap lookups?

Brian Wilson briw111 at yahoo.com
Sat Sep 19 00:39:18 CEST 2009


When I did the upgrade I had just copied-pasted my old configuration and it worked without issue, so I completely missed the inner-tunnel.
 
Making those changes helped alot and reduced the LDAP calls to 3 - Thanks!! I would like to drop this further, as it seems that 2 of them are from the authorize section.  I can't seem to remove it from the authorize section, though, as doing so pisses off mschap (can't find NT-password) and removing mschap pisses off FR (no auth-type defined).  Also, I use a LDAP huntgroup, where users in an LDAP group are allowed to attached to a special SSID, which i think is part of the authorization process....
 
So here is my new configuration, perhaps someone can spot something i'm missing? (tried looking through documentation, can't seem to find my error).
 
default file:
 
authorize {
    preprocess
    auth_log
    mschap
    suffix
    ntdomain
    eap {
        ok = return
    }
    files {
        notfound = reject
        noop = reject
        fail = reject
    }
    expiration
    logintime
}
 
authenticate {
    eap
}
 
 
and inner-tunnel:
 
authorize {
    unix
    suffix
    ntdomain
    update control {
            Proxy-To-Realm := LOCAL
    }
    eap {
        ok = return
    }
    files
    redundant-load-balance {
            LDAPsvr1
            LDAPsvr2
    }
    expiration
    logintime
}
 
authenticate {
    Auth-Type LDAP {
            redundant-load-balance {
                    LDAPsvr1
                    LDAPsvr2
            }
    }
    unix
    eap
}
 
>Hi,
>> I will need to do some more research on inner-tunnels, as i'm not too familiar with them.  How would I add the ldap components?  as >part of the peap module itself?
>
>no - you simply configure the required part of the inner-tunnel virtual server - inner-tunnel
>virtual server gets called as part of the EAP config - and _only_ as part of EAP with default config - check the default raddb config 

>alan



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090918/79eb24d1/attachment.html>


More information about the Freeradius-Users mailing list