EAP-Handshakes: every reply runs the full authorize-section
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Mon Jun 11 10:16:05 CEST 2007
Rainer Brinkmann wrote:
> FreeRADIUS Version 1.1.0:
>
> Hello,
> we run EAP-TTLS and what we get in Debug-Mode is, that every received
> EAP-Packet within the TLS-Tunnel-establish runs the complete
> authorize-section and slows down the overall time to create a TTLS-Tunnel.
> Reason is, that the User-Name e.g. "NTB-BRINK-610", which is the
> EAP-Identity, comes with every received EAP-Packet and is always checked
> against the full authorize-section. Is it possible to skip this redundant
> checks in the following EAP-responses that build a specific EAP-Session?
> (the EAP-Idents cant be resolved in our LDAP, cause that machinenames are
> always unknown to us. What we have to check are the inner-Tunnel -
> credentials)
>
> kind regards
>
> Rainer Brinkmann
> Network-Management
> University-Clinicum Hamburg / Germany
>
>
>
Yep, this issue is reduced in 2.0 pre1 , the eap module will return
handled (so will skip the rest of the authorise and authenticate
sections) when it doesn't need to authenticate the user, or acquire
attributes for authorisation/ authentication.
2.0pre1 brings to number of full autz/auth runs, down to around 3-4 per
EAP authentication.
--
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
More information about the Freeradius-Users
mailing list