Hi all, I have 2.1.6 and things basically work. But I just came across a question about the processing of outer/inner identity: As I understand it, in case of a non-EAP RADIUS request (eg from my old modem servers), there is no tunnel and hence no inner identity. ==> Autz and Auth are done by the default virtual server and governed by the settings in radiusd.conf and sites-available/default -- right? In case of an EAP request (we do EAP-TTLS and PEAP-MSCHAPv2), the outer identity is simply used as a dummy during Tunnel setup (Our EAP Clients use anonymous@uni-marburg.de as outer identity). Nonetheless, freeradius does an LDAP request during Authorization which, of course, fails with 'notfound'. freeradius then happily proceeds to do the real authentication with inner-tunnel. Now I wonder how to avoid that extra LDAP query. Here's my config (ldap123 refers to a virtual module doing redundant-load-balance with 3 LDAP servers): default: authorize { preprocess chap mschap suffix eap { ok = return } unix files ldap123 expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap Auth-Type LDAP { ldap123 } } inner-tunnel: authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files ldap123 expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap123 } eap } And here is the (hopefully) relevant part of the output of freeradius -X: radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.75.246 port 1645, id=68, length=166 User-Name = "anonymous@uni-marburg.de" Framed-MTU = 1400 Called-Station-Id = "0013.8011.a1e0" Calling-Station-Id = "001b.7720.e19d" Service-Type = Login-User Message-Authenticator = 0xc8c71b2e61687810d83b54a62fbc0150 EAP-Message = 0x0202001d01616e6f6e796d6f757340756e692d6d6172627572672e6465 NAS-Port-Type = Wireless-802.11 NAS-Port = 14662 NAS-IP-Address = 192.168.75.246 NAS-Identifier = "warz004" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "uni-marburg.de" for User-Name = "anonymous@uni-marburg.de" [suffix] Found realm "uni-marburg.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "uni-marburg.de" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 2 length 29 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 30 [files] expand: %{User-Name} -> anonymous@uni-marburg.de ++[files] returns ok ++- entering policy ldap123 {...} +++- entering redundant-load-balance group redundant-load-balance {...} [ldap3] performing user authorization for anonymous [ldap3] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap3] expand: (&(uid:caseExactMatch:=%{Stripped-User-Name:-%{User-Name}}) (!(UniMrDarfRadius=0))) -> (&(uid:caseExactMatch:=anony mous) (!(UniMrDarfRadius=0))) [ldap3] expand: ou=people,ou=Students,ou=Accounts,o=Universitaet Marburg,c=DE -> ou=people,ou=Students,ou=Accounts,o=Universitaet M arburg,c=DE rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to auth3.students.uni-marburg.de:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/ssl/certs/deutsche-telekom-root-ca-2.pem rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: bind as uid=radius,ou=Proxy,o=Universitaet Marburg,c=DE/JhkG0iH to auth3.students.uni-marburg.de:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,ou=Students,ou=Accounts,o=Universitaet Marburg,c=DE, with filter (&(uid:caseExactMatch:=anonymous) (!(UniMrDarfRadius=0))) rlm_ldap: object not found [ldap3] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++++[ldap3] returns notfound +++- redundant-load-balance group redundant-load-balance returns notfound ++- policy ldap123 returns notfound ++[expiration] returns noop ++[logintime] returns noop Thanks for any help Martin -- Dr. Martin Pauly Fax: 49-6421-28-26994 HRZ Univ. Marburg Phone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg