How to handle EAP/LDAP or files with same server

Keith Moores kmm6b at
Fri Nov 10 23:12:12 CET 2006

I'm trying to finally rid myself of Cisco ACS with FR 1.1.3 and  
mostly having great success (performance is so much better!) but  
can't seem to figure out how to handle two different types of  
wireless authentication in separate non-overlapping ways.

Case 1 is EAP/TLS where user ID (email address from cleint cert) is  
also looked up via LDAP.

Case 2 is MAC authentication using the users file.

I have both of these working with one issuse, MACs that are not in  
the users file are being sent to LDAP server adding unnecessary load.

authorize {
         ldap {
                 notfound = return

The solution I can think of is to only send user name's that are  
email addresses to ldap.  Is this something that can be done with a  
proxy conf and realms?  I'm having trouble understanding if/how those  
can influence the authorize section.


Keith Moores                                 <mailto:kmm6b at>
Network Systems
ITC-Communications and Systems Division
University of Virginia, ITC-2015 Ivy Rd            Phone  (434) 924-0621
Box 400324, Charlottesville, VA 22904-4324         Fax    (434) 982-4715

More information about the Freeradius-Users mailing list