Martin Pauly wrote:
I have 2.1.6 and things basically work. But I just came across a question about the processing of outer/inner identity:
As I understand it, in case of a non-EAP RADIUS request (eg from my old modem servers), there is no tunnel and hence no inner identity. ==> Autz and Auth are done by the default virtual server and governed by the settings in radiusd.conf and sites-available/default -- right?
Yes.
In case of an EAP request (we do EAP-TTLS and PEAP-MSCHAPv2), the outer identity is simply used as a dummy during Tunnel setup (Our EAP Clients use anonymous@uni-marburg.de as outer identity).
Yes.
Nonetheless, freeradius does an LDAP request during Authorization which, of course, fails with 'notfound'.
Because that's what you configured...
freeradius then happily proceeds to do the real authentication with inner-tunnel. Now I wonder how to avoid that extra LDAP query.
$ man unlang There's an entire policy language to define rules. Replace the "ldap123" line in the "authorize" seciton with: if (!EAP-Message) { ldap123 } Alan DeKok.