Authentication using LDAP for 802.1x

Phil Mayers p.mayers at imperial.ac.uk
Wed Jun 19 17:09:00 CEST 2013


On 19/06/13 15:32, Olivier Beytrison wrote:
> On 19.06.2013 16:02, A.L.M.Buxey at lboro.ac.uk wrote:
>> Hi,
>>
>>> Some other comments -
>>>
>>> Upgrade from 2.1.12 to 2.2.x, as there are security issues pre
>>> 2.2.x.
>>>
>>> Save yourself some round trip packets by setting default_eap_type
>>> = ttls in eap.conf
>>>
>>> Save yourself some LDAP lookups by removing ldap from the outer.
>>
>> ..and save some more hits to LDAP by wrapping the call to it in the
>> authorization stage to just the EAP Identity packet :-)
>
> That's pretty interesting, what's the if() you're doing to achieve that?

He he he... if I recall correctly I came up with something like:

server inner-tunnel {
   authorize {
     eap

     # stop processing authorize on eap identity or mschap success/fail
     if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) {
       noop
     }
     else {
       # rest of config goes here
     }
   }
}

Note however that you can avoid this in "master" versions of the server 
with:

server inner-tunnel {
   authorize {
     eap {
       ok = return
     }
   }
}

...as the EAP module was updated to return "ok" on identity/mschap 
responses. Yet another reason to upgrade!


More information about the Freeradius-Users mailing list