LDAP authorize for both EAP-TLS and EAP-PEAP

David Hartburn D.J.Hartburn at kent.ac.uk
Thu Dec 17 16:11:42 CET 2015


Can anyone advise on the best method for performing an LDAP authorize if 
I'm using both EAP-TLS and EAP-PEAP?

In my site config, I do:
	eap {
		ok = return
	}
	-ldap

This works great for PEAP, as the eap module returns and ok, then the 
LDAP lookup is performed in the inner tunnel, once only.

However when a certificate based client associates with EAP-PEAP, the 
eap module returns 'updated' and the ldap check is performed for each 
packet. I have updated the ldap line to be:
ldap {
	notfound = reject
}
For a successful authentication, it performs the ldap search a number of 
times. Is there any way I can only do this once?

Dave Hartburn


More information about the Freeradius-Users mailing list