On 23/06/11 17:29, Alan DeKok wrote:
Phil Mayers wrote:
Also in discussions on JANET-ROAMING, it seems people are seeing 3 queries to their LDAP servers in inner-tunnel. I believe this is because, with PEAP/MSCHAP, there are 3 passes through the inner tunnel:
* EAP identity -> Access-Challenge with EAP-MSCHAP challenge * EAP-MSCHAP response packet -> Access-Challenge with EAP success * EAP success -> Access-Accept
Oops.
I have found a vile solution: raddb/policy.conf: policy { eap_inner { eap { updated = 1 } # stop processing authorize on eap identity or mschap success/fail if ((EAP-Type == 1) || (EAP-Message =~ /^0x02..00061a..$/)) { noop } } } raddb/sites-enabled/*-tunnel: authorize { eap_inner if (updated) { ldap sql other_query } } ;o) This would actually be quite clean if you could write: policy { blah { } } authorize { blah { ok = return } } ...but it seems that's not supported.
...can be used to stop processing, but that's specific to the PEAP/TTLS EAP types; the EAP module just returns "updated" for EAP-Identity and EAP-Success packets.
Should rlm_eap return "ok" (or something) in authorize if the packet is an EAP-Identity, NAK, Success or Failure packets? Or maybe "handled" (although that's riskier, since the user can't opt out of it).
Maybe "ok" is better.
This would allow you to do:
server inner-tunnel { authorize { eap { ok = return } ldap } }
Obviously you need to run SQL/LDAP for inner-eap method "response" packets to read Cleartext-Password / NT-Password in time for the authenticate {} section.
Sounds good to me.
Patch? :)
It's untested because I have to dash, but the attached should do it. I'll compile it up and test tomorrow.