Re: Re: Cisco WLC PEAP/MSCHAPv2 - unnecessary ldap lookups?
When I did the upgrade I had just copied-pasted my old configuration and it worked without issue, so I completely missed the inner-tunnel. Making those changes helped alot and reduced the LDAP calls to 3 - Thanks!! I would like to drop this further, as it seems that 2 of them are from the authorize section. I can't seem to remove it from the authorize section, though, as doing so pisses off mschap (can't find NT-password) and removing mschap pisses off FR (no auth-type defined). Also, I use a LDAP huntgroup, where users in an LDAP group are allowed to attached to a special SSID, which i think is part of the authorization process.... So here is my new configuration, perhaps someone can spot something i'm missing? (tried looking through documentation, can't seem to find my error). default file: authorize { preprocess auth_log mschap suffix ntdomain eap { ok = return } files { notfound = reject noop = reject fail = reject } expiration logintime } authenticate { eap } and inner-tunnel: authorize { unix suffix ntdomain update control { Proxy-To-Realm := LOCAL } eap { ok = return } files redundant-load-balance { LDAPsvr1 LDAPsvr2 } expiration logintime } authenticate { Auth-Type LDAP { redundant-load-balance { LDAPsvr1 LDAPsvr2 } } unix eap }
Hi,
I will need to do some more research on inner-tunnels, as i'm not too familiar with them. How would I add the ldap components? as >part of the peap module itself?
no - you simply configure the required part of the inner-tunnel virtual server - inner-tunnel virtual server gets called as part of the EAP config - and _only_ as part of EAP with default config - check the default raddb config
alan
Hi,
Making those changes helped alot and reduced the LDAP calls to 3 - Thanks!! I would like to drop this further, as it seems that 2 of them are from the authorize section. I can't seem to remove it from the authorize section, though, as doing so pisses off mschap (can't find NT-password) and removing mschap pisses off FR (no auth-type defined). Also, I use a LDAP huntgroup, where users in an LDAP group are allowed to attached to a special SSID, which i think is part of the authorization process....
in this case you need to use LDAP in the authorise section - no two ways about it. however, thiat then becomes a backend issue - so you need to find out why it takes so long to do a query at that point alan
participants (2)
-
Alan Buxey -
Brian Wilson