Number of LDAP/SQL queries in inner-tunnel
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jun 23 15:18:43 CEST 2011
Also in discussions on JANET-ROAMING, it seems people are seeing 3
queries to their LDAP servers in inner-tunnel. I believe this is
because, with PEAP/MSCHAP, there are 3 passes through the inner tunnel:
* EAP identity -> Access-Challenge with EAP-MSCHAP challenge
* EAP-MSCHAP response packet -> Access-Challenge with EAP success
* EAP success -> Access-Accept
In the outer tunnel the trick:
eap {
ok = return
}
...can be used to stop processing, but that's specific to the PEAP/TTLS
EAP types; the EAP module just returns "updated" for EAP-Identity and
EAP-Success packets.
Should rlm_eap return "ok" (or something) in authorize if the packet is
an EAP-Identity, NAK, Success or Failure packets? Or maybe "handled"
(although that's riskier, since the user can't opt out of it).
This would allow you to do:
server inner-tunnel {
authorize {
eap {
ok = return
}
ldap
}
}
Obviously you need to run SQL/LDAP for inner-eap method "response"
packets to read Cleartext-Password / NT-Password in time for the
authenticate {} section.
Cheers
Phil
More information about the Freeradius-Devel
mailing list