LDAP authorize for both EAP-TLS and EAP-PEAP
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Thu Dec 17 19:28:57 CET 2015
Hi,
>
> In my site config, I do:
> eap {
> ok = return
> }
> -ldap
>
> This works great for PEAP, as the eap module returns and ok, then
> the LDAP lookup is performed in the inner tunnel, once only.
>
> However when a certificate based client associates with EAP-PEAP,
> the eap module returns 'updated' and the ldap check is performed for
> each packet. I have updated the ldap line to be:
how are you doing policies on EAP-TLS clients? some people use ldap for
looking up memberships/groups etc - hence the fall-through is fine
for default.... but not for your use case.
if you dont want ldap to be processed...and the module returns 'updated'
then maybe
eap {
ok = return
updated = return
}
-ldap
(dont forget, EAP-TLS wont go into inner-tunnel)
alan
More information about the Freeradius-Users
mailing list