But if I put it under inner-tunnel/authorize will it still work with PAP/CHAP (without 802.1x) and EAP-MD5 and others which are not using an inner-tunnel? Since I can't known in advance when each will be used. It is my understanding that for those without inner-tunnel I need to put the code in the main authorize as well as within the inner-tunnel, which will result in expensive SQL calls when 802.1x will be used because the main global authorize will then be invoked. 2014-03-27 8:58 GMT-04:00 Stefan Winter <stefan.winter@restena.lu>:
Hi,
this is a usage question, redirecting to -users.
You should call your module only in innner-tunnel/authorize, not in the outer request (default/authorize).
Greetings,
Stefan Winter
On 27.03.2014 13:53, Yannick Koehler wrote:
Hi,
I have an authorization module to write for FreeRADIUS that does a fair amount of CPU intensive SQL queries 1-2 seconds time. But the problem is that when a 802.1x authentication is occuring this event occurs many times 4-5 times at each reception of RADIUS Access Request. Also, at that time the username is not the final one (normally the final one is sent within the MSCHAPv2 from within the TLS tunnel used by PEAP or EAP-TLS or EAP-TTLS).
Is there a way for my authorization module to trigger the work to be done only if EAP is at the stage of handling the internal authentication? Can for example my module communicate with the EAP module and look at an internal flag somewhere to know if the TLS tunnel has been completed?
I would like the following:
Access Request (EAP identity response) -> authorization module - no CPU intensive <-- Access Challenge (EAP TLS Server Hello)
Access Request (EAP TLS Client Hello) -> authorization module - no CPU intensive <-- Access Challenge
etc. until TLS is established
Access Request (EAP TLS MSCHAPv2) -> authorization module - CPU intensive query <-- Access Accept
-- Yannick Koehler
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg
Tel: +352 424409 1 Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-- Yannick Koehler Courriel: yannick@koehler.name Blog: http://corbeillepensees.blogspot.com