When I did the upgrade I had just copied-pasted my old configuration and it worked without issue, so I completely missed the inner-tunnel.

 

Making those changes helped alot and reduced the LDAP calls to 3 - Thanks!! I would like to drop this further, as it seems that 2 of them are from the authorize section.  I can't seem to remove it from the authorize section, though, as doing so pisses off mschap (can't find NT-password) and removing mschap pisses off FR (no auth-type defined).  Also, I use a LDAP huntgroup, where users in an LDAP group are allowed to attached to a special SSID, which i think is part of the authorization process....

 

So here is my new configuration, perhaps someone can spot something i'm missing? (tried looking through documentation, can't seem to find my error).

 

default file:

 

authorize {

    preprocess

    auth_log

    mschap

    suffix

    ntdomain

    eap {

        ok = return

    }

    files {

        notfound = reject

        noop = reject

        fail = reject

    }

    expiration

    logintime

}

 

authenticate {

    eap

}

 

 

and inner-tunnel:

 

authorize {

    unix

    suffix

    ntdomain

    update control {

            Proxy-To-Realm := LOCAL

    }

    eap {

        ok = return

    }

    files

    redundant-load-balance {

            LDAPsvr1

            LDAPsvr2

    }

    expiration

    logintime

}

 

authenticate {

    Auth-Type LDAP {

            redundant-load-balance {

                    LDAPsvr1

                    LDAPsvr2

            }

    }

    unix

    eap

}

 

>Hi,
>> I will need to do some more research on inner-tunnels, as i'm not too familiar with them.  How would I add the ldap components?  as >part of the peap module itself?
>
>no - you simply configure the required part of the inner-tunnel virtual server - inner-tunnel
>virtual server gets called as part of the EAP config - and _only_ as part of EAP with default config - check the default raddb config

>alan