I have a freeradius server configured to do both EAP-TLS and LDAP auth. It works great so far. If I have a cert. configured, then I'm authenticated with the cert. If I don't have a cert then I get prompted for my un/pw on my NAS's Captive Portal page, which then passes my username/password on to the Radius server which then checks my LDAP server if my un/pw are correct.
<br><br>When I look through the debug logs, however, I see that the rlm_ldap module is doing an LDAP search for my username during each stage of the EAP session. Is there a way to configure freeradius so that it won't try LDAP auth in the middle of an EAP session?
<br><br>Here's my radiusd.conf:<br><br>prefix = /usr<br>exec_prefix = /usr<br>sysconfdir = /etc<br>localstatedir = /var<br>sbindir = /usr/sbin<br>logdir = ${localstatedir}/log/radius<br>raddbdir = ${sysconfdir}/raddb<br>
radacctdir = ${logdir}/radacct<br>confdir = ${raddbdir}<br>run_dir = ${localstatedir}/run/radiusd<br>log_file = ${logdir}/radius.log<br>libdir = /usr/lib<br>pidfile = ${run_dir}/radiusd.pid<br>user = radius<br>group = radius
<br>max_request_time = 30<br>delete_blocked_requests = no<br>cleanup_delay = 5<br>max_requests = 8192<br>bind_address = *<br>port = 0<br>hostname_lookups = no<br>allow_core_dumps = no<br>regular_expressions = yes<br>extended_expressions = yes
<br>log_stripped_names = no<br>log_auth = yes<br>log_auth_badpass = no<br>log_auth_goodpass = no<br>usercollide = no<br>lower_user = after<br>lower_pass = no<br>nospace_user = no<br>nospace_pass = no<br>checkrad = ${sbindir}/checkrad
<br>security {<br> max_attributes = 200<br> reject_delay = 0<br> status_server = yes<br>}<br>proxy_requests = no<br>$INCLUDE ${confdir}/clients.conf<br>snmp = no<br>thread pool {<br> start_servers = 10
<br> max_servers = 128<br> min_spare_servers = 3<br> max_spare_servers = 20<br> max_requests_per_server = 0<br>}<br>modules {<br> pap {<br> encryption_scheme = crypt<br> }
<br> chap {<br> authtype = CHAP<br> }<br> pam {<br> pam_auth = radiusd<br> }<br> unix {<br> cache = no<br> cache_reload = 600<br>
shadow = /etc/shadow<br> radwtmp = ${logdir}/radwtmp<br> }<br>$INCLUDE ${confdir}/eap.conf<br> mschap {<br> authtype = MS-CHAP<br> }<br> ldap {<br>
server = "<a href="http://ldap.mycompany.com">ldap.mycompany.com</a>"<br> basedn = "ou=people,dc=mycompany,dc=com"<br> filter = "(&(accountInstance=wireless)(uid=%{Stripped-User-Name:-%{User-Name}}))"
<br> start_tls = yes<br> dictionary_mapping = ${raddbdir}/ldap.attrmap<br> ldap_connections_number = 25<br> timeout = 10<br> timelimit = 10<br> net_timeout = 1
<br> access_attr_used_for_allow = yes<br> }<br> realm suffix {<br> format = suffix<br> delimiter = "@"<br> ignore_default = no<br> ignore_null = no
<br> }<br> realm realmpercent {<br> format = suffix<br> delimiter = "%"<br> ignore_default = no<br> ignore_null = no<br> }<br> realm ntdomain {
<br> format = prefix<br> delimiter = "\\"<br> ignore_default = no<br> ignore_null = no<br> }<br> checkval {<br> item-name = Calling-Station-Id
<br> check-name = Calling-Station-Id<br> data-type = string<br> }<br> preprocess {<br> huntgroups = ${confdir}/huntgroups<br> hints = ${confdir}/hints
<br> with_ascend_hack = no<br> ascend_channels_per_line = 23<br> with_ntdomain_hack = no<br> with_specialix_jetstream_hack = no<br> with_cisco_vsa_hack = no
<br> }<br> files {<br> usersfile = ${confdir}/users<br> acctusersfile = ${confdir}/acct_users<br> compat = no<br> }<br> detail {<br> detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
<br> detailperm = 0600<br> }<br> acct_unique {<br> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<br> }<br> radutmp {<br>
filename = ${logdir}/radutmp<br> username = %{User-Name}<br> case_sensitive = yes<br> check_with_nas = yes<br> perm = 0600<br> callerid = "yes"
<br> }<br> radutmp sradutmp {<br> filename = ${logdir}/sradutmp<br> perm = 0644<br> callerid = "no"<br> }<br> attr_filter {<br> attrsfile = ${confdir}/attrs
<br> }<br> counter daily {<br> filename = ${raddbdir}/db.daily<br> key = User-Name<br> count-attribute = Acct-Session-Time<br> reset = daily<br> counter-name = Daily-Session-Time
<br> check-name = Max-Daily-Session<br> allowed-servicetype = Framed-User<br> cache-size = 5000<br> }<br> always fail {<br> rcode = fail<br> }
<br> always reject {<br> rcode = reject<br> }<br> always ok {<br> rcode = ok<br> simulcount = 0<br> mpp = no<br> }<br> expr {<br>
}<br> digest {<br> }<br> exec {<br> wait = yes<br> input_pairs = request<br> }<br> exec echo {<br> wait = yes<br> program = "/bin/echo %{User-Name}"
<br> input_pairs = request<br> output_pairs = reply<br> }<br> ippool main_pool {<br> range-start = <a href="http://192.168.1.1">192.168.1.1</a><br> range-stop =
<a href="http://192.168.3.254">192.168.3.254</a><br> netmask = <a href="http://255.255.255.0">255.255.255.0</a><br> cache-size = 800<br> session-db = ${raddbdir}/db.ippool<br> ip-index = ${raddbdir}/db.ipindex
<br> override = no<br> maximum-timeout = 0<br> }<br>}<br>instantiate {<br> expr<br>}<br>authorize {<br> preprocess<br> mschap<br> eap<br> files<br> ldap
<br>}<br>authenticate {<br> Auth-Type MS-CHAP {<br> mschap<br> }<br> eap<br> Auth-Type LDAP {<br> ldap<br> }<br>}<br>preacct {<br> preprocess<br> acct_unique
<br> files<br>}<br>accounting {<br>}<br>session {<br>}<br>post-auth {<br>}<br>pre-proxy {<br>}<br>post-proxy {<br>}<br><br><br>Here's my eap.conf:<br><br><br>eap {<br> default_eap_type = ttls<br>
timer_expire = 60<br> ignore_unknown_eap_types = no<br> cisco_accounting_username_bug = no<br> md5 {<br> }<br> tls {<br> private_key_password =
<br> private_key_file = /etc/raddb/certs/mycompany.com.key<br> certificate_file = /etc/raddb/certs/mycompany.com.crt<br> CA_path = /etc/raddb/certs<br> dh_file = /etc/raddb/certs/dh
<br> random_file = /etc/raddb/certs/random<br> fragment_size = 1024<br> include_length = yes<br> check_crl = yes<br> }
<br> ttls {<br> default_eap_type = mschapv2<br> copy_request_to_tunnel = no<br> use_tunneled_reply = no<br><br> }<br> peap {
<br> default_eap_type = mschapv2<br> }<br> mschapv2 {<br> }<br> }<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>