Martin Kraus wrote:
I'm using TTLS+TLS.
Then what are you looking up in ldap?
I can see that the eap { ok = return } automagically skips to the authentication section but the first two access-requests in the session cause it to return updated status so the ldap lookups are executed. I assume there isn't much I can do about that, right?
Sure. You can look at the debug output, see what's different between packets N and N+1, and use those differences to selectively run ldap.
I then have a separate problem with the inner-tunnel where the inner-eap never returns ok in the authorization section so it keeps on doing the ldap lookups. in the session I have it did 9 separate passes which together with the outer tunnel is 11 ldap passes which in my case is more then 30 ldap lookups for a single user login.
Again, look at the debug output.
There are also these warnings in inner-tunnel
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xfa098d01f80a8033 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
but the inner tls session seems to be still progressing fine since the last warning is right before the last access-request which results in the access-accept for the user.
Read it again. The ONLY time that message is produced is when the EAP session doesn't finish. There are likely 2-3 failed attempts before one success. If you only look at the succes...
Is there something I can do about the 9 lookups in the inner-tunnel server? I'll have a look at the rlm_cache as well but I'm just curious as to why is it happening.
Because that's what you told it to do. The server is pretty dumb that way. Again, look at the debug log to see what's happening. *WHY* are you doing LDAP lookups at all? Can you not delay them? And rlm_cache should help a lot, too. Alan DeKok.