Phil Mayers wrote:
Also in discussions on JANET-ROAMING, it seems people are seeing 3 queries to their LDAP servers in inner-tunnel. I believe this is because, with PEAP/MSCHAP, there are 3 passes through the inner tunnel:
* EAP identity -> Access-Challenge with EAP-MSCHAP challenge * EAP-MSCHAP response packet -> Access-Challenge with EAP success * EAP success -> Access-Accept
Oops.
...can be used to stop processing, but that's specific to the PEAP/TTLS EAP types; the EAP module just returns "updated" for EAP-Identity and EAP-Success packets.
Should rlm_eap return "ok" (or something) in authorize if the packet is an EAP-Identity, NAK, Success or Failure packets? Or maybe "handled" (although that's riskier, since the user can't opt out of it).
Maybe "ok" is better.
This would allow you to do:
server inner-tunnel { authorize { eap { ok = return } ldap } }
Obviously you need to run SQL/LDAP for inner-eap method "response" packets to read Cleartext-Password / NT-Password in time for the authenticate {} section.
Sounds good to me. Patch? :) Alan DeKok.