Jeffrey Collyer wrote:
setup information that I failed to explain properly the first time : freeradius 2.1.7 is used to authenticate wireless users with eap-tls
Well... that would have been nice to say.
I started with a default configuation and added ldap to it in the sites-enabled/default file's authorize section. And it worked authenticating the client, but with many (about a dozen) ldap lookups.
Because there are about a dozen EAP packet exchanges.
Then I realized that the 'tls' section of the modules/eap.conf file doesn't have a virtual_server directive, but even after putting that in the 'tls' section, its still doesn't run an ldap query when I try to authenticate.
Because the "virtual_server" directive doesn't belong in the "tls" section.
So my assumption is that the eap module doesn't use the inner tunnel for tls.
Yes. The solution is to move the LDAP checks to the "post-auth" stage. Alan DeKok.