I will need to do some more research on inner-tunnels, as i'm not too familiar with them. How would I add the ldap components? as part of the peap module itself? All the documentation i've found on LDAP requires the ldap modules to be referenced in both the authorize and authentication sections directly. It would be useful to see some more examples. -----Inline Message Follows----- Have you tried to configure an inner-tunnel for peap? it will reduce the ldap lookups. 2009/9/17 Brian Wilson <briw111@yahoo.com>:
Hi all,
A few months ago I had posted this topic to the list, and unfortunately before I could work further on it I got pulled onto another assignment. I apologize to those that tried helping before. I modified my config per their recommendations, but still having the same problem....
I am still having trouble with a WLC440x with WPA2-AES-PEAP-MSCHAPv2, freeradius and edirectory setup. Essentially, the ldap requests are taking 3-4 seconds to resolve. In addition, freeradius ends up doing in the neighborhood of 5-6 ldap lookups for each client trying to attach. I am unsure of why this is happening. Below is my configuration: (This is freeradius 2.1.6)
authorize{ preprocess auth_log suffix ntdomain eap { ok = return } files { notfound = reject noop = reject fail = reject } redundant-load-balance { LDAPsvr1 LDAPsvr2 } expiration logintime }
authenticate { Auth-Type MS-CHAP { mschap } Auth-Type LDAP { redundant-load-balance { LDAPsvr1 LDAPsvr2 } } eap }
and in eap.conf, i have default-eap-type set to peap, and not mschapv2.
here is a snippet of debug info I had posted before; this tends to repeat at nassuem about 4-5 more times before the actual access-accept is sent:
rad_recv: Access-Request packet from host blah port 32769, id=5, length=196 User-Name = "test" Calling-Station-Id = "mac" Called-Station-Id = "mac:blah" NAS-Port = 1 NAS-IP-Address = ipblah
NAS-Identifier = "nameblah" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = (trimmed) Message-Authenticator = 0x8dd02304de9a3c5e3c732d1a622be134 +- entering group authorize {...} [preprocess] expand: %{Called-Station-Id} -> mac:blah
++[preprocess] returns ok [auth_log] expand: (trimmed) [auth_log](trimmed) [auth_log] expand: %t -> Wed Jun 17 10:00:10 2009 ++[auth_log] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "company" for User-Name = "test" [ntdomain] Found realm "company" [ntdomain] Adding Stripped-User-Name = "test" [ntdomain] Adding Realm = "company" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 2 length 27 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 178 ++[files] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [LDAPsvr2] performing user authorization for test [LDAPsvr2] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [LDAPsvr2] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test) [LDAPsvr2] expand: t=company -> t=company rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in t=company, with filter (cn=test) [LDAPsvr2] Added the eDirectory password password in check items as Cleartext-Password [LDAPsvr2] No default NMAS login sequence [LDAPsvr2] looking for check items in directory... [LDAPsvr2] looking for reply items in directory... [LDAPsvr2] user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[LDAPsvr2] returns ok ++- redundant-load-balance group redundant-load-balance returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 5 to blah port 32769 EAP-Message = (trimmed) Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfea96b9cfeaa7186011d5bcc3cb2528f Finished request 67. Going to the next request Waking up in 9.9 seconds. rad_recv: Access-Request packet from host blah port 32769, id=6, length=193 User-Name = "test" Calling-Station-Id = "mac" Called-Station-Id = "mac:blah" NAS-Port = 1 NAS-IP-Address = blah
NAS-Identifier = "nameblah" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300060319 State = 0xfea96b9cfeaa7186011d5bcc3cb2528f Message-Authenticator = 0x7efad720ed506e1d3324a14c5f001a4c +- entering group authorize {...} [preprocess] expand: %{Called-Station-Id} -> mac:blah ++[preprocess] returns ok [auth_log] expand: (trimmed) [auth_log] (trimmed) [auth_log] expand: (trimmed) ++[auth_log] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "company" for User-Name = "test" [ntdomain] Found realm "company" [ntdomain] Adding Stripped-User-Name = "test" [ntdomain] Adding Realm = "company" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 178 ++[files] returns ok ++- entering redundant-load-balance group redundant-load-balance {...} [LDAPsvr1] performing user authorization for test [LDAPsvr1] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [LDAPsvr1] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test) [LDAPsvr1] expand: t=company -> t=company rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in t=company, with filter (cn=test) [LDAPsvr1] Added the eDirectory password password in check items as Cleartext-Password [LDAPsvr1] No default NMAS login sequence [LDAPsvr1] looking for check items in directory... [LDAPsvr1] looking for reply items in directory... [LDAPsvr1] user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[LDAPsvr1] returns ok ++- redundant-load-balance group redundant-load-balance returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 6 to blah port 32769 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfea96b9cffad7286011d5bcc3cb2528f Finished request 68. Going to the next request Waking up in 5.2 seconds.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com