How to handle EAP/LDAP or files with same server
I'm trying to finally rid myself of Cisco ACS with FR 1.1.3 and mostly having great success (performance is so much better!) but can't seem to figure out how to handle two different types of wireless authentication in separate non-overlapping ways. Case 1 is EAP/TLS where user ID (email address from cleint cert) is also looked up via LDAP. Case 2 is MAC authentication using the users file. I have both of these working with one issuse, MACs that are not in the users file are being sent to LDAP server adding unnecessary load. authorize { preprocess files ldap { notfound = return } eap } The solution I can think of is to only send user name's that are email addresses to ldap. Is this something that can be done with a proxy conf and realms? I'm having trouble understanding if/how those can influence the authorize section. Thanks, -Keith ------------------------------------------------------------------------ Keith Moores <mailto:kmm6b@virginia.edu> Network Systems ITC-Communications and Systems Division University of Virginia, ITC-2015 Ivy Rd Phone (434) 924-0621 Box 400324, Charlottesville, VA 22904-4324 Fax (434) 982-4715
Keith Moores <kmm6b@virginia.edu> wrote:
I have both of these working with one issuse, MACs that are not in the users file are being sent to LDAP server adding unnecessary load.
One solution is to recognize MAC's, and NOT look them up in LDAP. Another is to recognize email addresses, and cause them to be looked up in LDAP.
The solution I can think of is to only send user name's that are email addresses to ldap. Is this something that can be done with a proxy conf and realms?
No. This should work: #-- users file DEFAULT User-Name =~ "@", EAP-Message =* 0x00, Autz-Type := email #--- #--- radiusd.conf authorize { preprocess files Autz-Type email { ldap eap } } #--- Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Keith Moores