Number of LDAP/SQL queries in inner-tunnel

Phil Mayers p.mayers at
Thu Jun 23 15:18:43 CEST 2011

Also in discussions on JANET-ROAMING, it seems people are seeing 3 
queries to their LDAP servers in inner-tunnel. I believe this is 
because, with PEAP/MSCHAP, there are 3 passes through the inner tunnel:

  * EAP identity -> Access-Challenge with EAP-MSCHAP challenge
  * EAP-MSCHAP response packet -> Access-Challenge with EAP success
  * EAP success -> Access-Accept

In the outer tunnel the trick:

eap {
  ok = return

...can be used to stop processing, but that's specific to the PEAP/TTLS 
EAP types; the EAP module just returns "updated" for EAP-Identity and 
EAP-Success packets.

Should rlm_eap return "ok" (or something) in authorize if the packet is 
an EAP-Identity, NAK, Success or Failure packets? Or maybe "handled" 
(although that's riskier, since the user can't opt out of it).

This would allow you to do:

server inner-tunnel {
  authorize {
   eap {
     ok = return

Obviously you need to run SQL/LDAP for inner-eap method "response" 
packets to read Cleartext-Password / NT-Password in time for the 
authenticate {} section.


More information about the Freeradius-Devel mailing list