Stopping LDAP searches during each part of EAP session?
I have a freeradius server configured to do both EAP-TLS and LDAP auth. It works great so far. If I have a cert. configured, then I'm authenticated with the cert. If I don't have a cert then I get prompted for my un/pw on my NAS's Captive Portal page, which then passes my username/password on to the Radius server which then checks my LDAP server if my un/pw are correct. When I look through the debug logs, however, I see that the rlm_ldap module is doing an LDAP search for my username during each stage of the EAP session. Is there a way to configure freeradius so that it won't try LDAP auth in the middle of an EAP session? Here's my radiusd.conf: prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib pidfile = ${run_dir}/radiusd.pid user = radius group = radius max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 8192 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = yes log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = after lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 0 status_server = yes } proxy_requests = no $INCLUDE ${confdir}/clients.conf snmp = no thread pool { start_servers = 10 max_servers = 128 min_spare_servers = 3 max_spare_servers = 20 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP } ldap { server = "ldap.mycompany.com" basedn = "ou=people,dc=mycompany,dc=com" filter = "(&(accountInstance=wireless)(uid=%{Stripped-User-Name:-%{User-Name}}))" start_tls = yes dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 25 timeout = 10 timelimit = 10 net_timeout = 1 access_attr_used_for_allow = yes } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { expr } authorize { preprocess mschap eap files ldap } authenticate { Auth-Type MS-CHAP { mschap } eap Auth-Type LDAP { ldap } } preacct { preprocess acct_unique files } accounting { } session { } post-auth { } pre-proxy { } post-proxy { } Here's my eap.conf: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } tls { private_key_password = private_key_file = /etc/raddb/certs/mycompany.com.key certificate_file = /etc/raddb/certs/mycompany.com.crt CA_path = /etc/raddb/certs dh_file = /etc/raddb/certs/dh random_file = /etc/raddb/certs/random fragment_size = 1024 include_length = yes check_crl = yes } ttls { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no } peap { default_eap_type = mschapv2 } mschapv2 { } }
Matt Alexander wrote:
When I look through the debug logs, however, I see that the rlm_ldap module is doing an LDAP search for my username during each stage of the EAP session. Is there a way to configure freeradius so that it won't try LDAP auth in the middle of an EAP session?
See the example "authorize" section and "eap" config in 1.1.7. In 2.0, this is a lot easier to control. Alan DeKok.
participants (2)
-
Alan DeKok -
Matt Alexander