Hi,
In my site config, I do: eap { ok = return } -ldap
This works great for PEAP, as the eap module returns and ok, then the LDAP lookup is performed in the inner tunnel, once only.
However when a certificate based client associates with EAP-PEAP, the eap module returns 'updated' and the ldap check is performed for each packet. I have updated the ldap line to be:
how are you doing policies on EAP-TLS clients? some people use ldap for looking up memberships/groups etc - hence the fall-through is fine for default.... but not for your use case. if you dont want ldap to be processed...and the module returns 'updated' then maybe eap { ok = return updated = return } -ldap (dont forget, EAP-TLS wont go into inner-tunnel) alan