Hi, this is a usage question, redirecting to -users. You should call your module only in innner-tunnel/authorize, not in the outer request (default/authorize). Greetings, Stefan Winter On 27.03.2014 13:53, Yannick Koehler wrote:
Hi,
I have an authorization module to write for FreeRADIUS that does a fair amount of CPU intensive SQL queries 1-2 seconds time. But the problem is that when a 802.1x authentication is occuring this event occurs many times 4-5 times at each reception of RADIUS Access Request. Also, at that time the username is not the final one (normally the final one is sent within the MSCHAPv2 from within the TLS tunnel used by PEAP or EAP-TLS or EAP-TTLS).
Is there a way for my authorization module to trigger the work to be done only if EAP is at the stage of handling the internal authentication? Can for example my module communicate with the EAP module and look at an internal flag somewhere to know if the TLS tunnel has been completed?
I would like the following:
Access Request (EAP identity response) -> authorization module - no CPU intensive <-- Access Challenge (EAP TLS Server Hello)
Access Request (EAP TLS Client Hello) -> authorization module - no CPU intensive <-- Access Challenge
etc. until TLS is established
Access Request (EAP TLS MSCHAPv2) -> authorization module - CPU intensive query <-- Access Accept
-- Yannick Koehler
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66