On 9/17/10 11:09 AM, Alan DeKok wrote:
Jeffrey Collyer wrote:
Could someone give me a pointer/hint as to how to configure eap/ldap to cut down on the number of ldap queries. Any help greatly appreciated.
The default configuration does *not* do LDAP lookups. So... use the default config, and then enable LDAP lookups in the "inner-tunnel".
setup information that I failed to explain properly the first time : freeradius 2.1.7 is used to authenticate wireless users with eap-tls with the users authorization to connect being the cn of the certificates they have on their client. That cn is checked against ldap for an attirbute 'wirelessAccess'. (and I know that the certs outer identity can be set to anything, but for this test its valid on the connecting machine.) I started with a default configuation and added ldap to it in the sites-enabled/default file's authorize section. And it worked authenticating the client, but with many (about a dozen) ldap lookups. I then moved the ldap line over to the sites-enabled/inner-tunnel file and removed it from default. The configuration would run, but would not validate against ldap. Then I realized that the 'tls' section of the modules/eap.conf file doesn't have a virtual_server directive, but even after putting that in the 'tls' section, its still doesn't run an ldap query when I try to authenticate. So my assumption is that the eap module doesn't use the inner tunnel for tls. If this is not the case, then I can certainly provide the debug output from 'freeradius -X', but I don't want to waste the bits if my assumption is true. Thanks Jeff