Tobias Hachmer wrote: Now I'm coming closer to my questions. When a local user logon to a telnet device freeradius does all the ldap membership queries. When an AD user will logon to a telnet device freeradius also does all the ldap membership queries.
Q1: Can I abbreviate this process that when a local user wants access to a telnet device the ldap queries will be skipped? Q2: Is there a smarter way to reject a local user immediately when he wants to logon to a non telnet device? Q3: Is there a smarter way to reject an AD user immediately when he wants to logon to a telnet device?
You could use Auth-Type subsections, but with LDAP the control flow can be a bit confusing (the statements in the block outside those sections all run, and then the block gets run again from the top once an Auth-Type is selected, which happens inside of the ldap module.) Your best bet for this scenario is to look at the "as of 2.0" instructions in clients.conf, where you can select a virtual server to enter based on which clients are requesting, and construct a separate virtual server for telnet devices.
Q4: Are there any tweaking capabilities to my unlang code to make it smarter or more hardened? Q5: Can I abbreviate any code snippets like using a switch/case block or use variables or anything I don't know?
When using Ldap-Group as a check item, you have to be careful, because it is a special case. You are not really comparing the value after the '==' to a variable, rather each time an LDAP group query is launched looking for the value after the '=='. This is the way LDAP groups work -- you do not query a list of groups, you query them one-by-one. Note that using Ldap-Group in the "users" file is also inefficient. I use a nested if statement to short-circuit, and sort by prevalence, but I do not have quite as many cases as you.