Number of LDAP/SQL queries in inner-tunnel
Alan DeKok
aland at deployingradius.com
Thu Jun 23 18:29:51 CEST 2011
Phil Mayers wrote:
> Also in discussions on JANET-ROAMING, it seems people are seeing 3
> queries to their LDAP servers in inner-tunnel. I believe this is
> because, with PEAP/MSCHAP, there are 3 passes through the inner tunnel:
>
> * EAP identity -> Access-Challenge with EAP-MSCHAP challenge
> * EAP-MSCHAP response packet -> Access-Challenge with EAP success
> * EAP success -> Access-Accept
Oops.
> ...can be used to stop processing, but that's specific to the PEAP/TTLS
> EAP types; the EAP module just returns "updated" for EAP-Identity and
> EAP-Success packets.
>
> Should rlm_eap return "ok" (or something) in authorize if the packet is
> an EAP-Identity, NAK, Success or Failure packets? Or maybe "handled"
> (although that's riskier, since the user can't opt out of it).
Maybe "ok" is better.
> This would allow you to do:
>
> server inner-tunnel {
> authorize {
> eap {
> ok = return
> }
> ldap
> }
> }
>
> Obviously you need to run SQL/LDAP for inner-eap method "response"
> packets to read Cleartext-Password / NT-Password in time for the
> authenticate {} section.
Sounds good to me.
Patch? :)
Alan DeKok.
More information about the Freeradius-Devel
mailing list