diff --git a/src/modules/rlm_eap/eap.c b/src/modules/rlm_eap/eap.c index 4eb9c04..255daf8 100644 --- a/src/modules/rlm_eap/eap.c +++ b/src/modules/rlm_eap/eap.c @@ -798,6 +798,32 @@ int eap_start(rlm_eap_t *inst, REQUEST *request) RDEBUG2("Continuing tunnel setup."); return EAP_OK; } + /* + * We return ok in response to EAP identity and MSCHAP success/fail + * This means we can write: + * + * eap { + * ok = return + * } + * ldap + * sql + * + * ...in the inner-tunnel, to avoid expensive and unnecessary SQL/LDAP lookups + */ + if (eap_msg->vp_octets[4] == PW_EAP_IDENTITY) { + RDEBUG2("EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize"); + return EAP_OK; + } + if ((eap_msg->vp_octets[4] == PW_EAP_MSCHAPV2) && (eap_msg->length >= 6)) { + switch (eap_msg->vp_octets[5]) { + case 3: + RDEBUG2("EAP-MSCHAPV2 success, returning short-circuit ok"); + return EAP_OK; + case 4: + RDEBUG2("EAP-MSCHAPV2 failure, returning short-circuit ok"); + return EAP_OK; + } + } /* * Later EAP messages are longer than the 'start'