Newbie question - number of radius requests per session?

Phil Mayers p.mayers at
Wed Oct 31 14:12:01 CET 2007

On Wed, 2007-10-31 at 08:59 -0400, Nathan Hay wrote:
> I have FreeRadius 1.1.7 installed and talking to our eDirectory
> servers via LDAP to authenticate users to our wireless network.  It
> works great, but our eDirectory servers get hit with 11 requests each
> time a single client authenticates.  Running FreeRadius in debug mode,
> I see 10 requests of the format "Access-Request packet from host
>" and then "Sending Access-Challenge of id 0 to port
> 1082".  Then I see a single final request of the format
> "Access-Request packet from host" and then "Sending
> Access-Accept of id 0 to port 1082".  Each one of these 11
> requests performs a check of the user on our eDirectory servers, hence
> the 11 hits each time a single client authenticates.
> Is this normal or do I need to fix something?  I'd be glad to send the
> entire debug capture and my config if this is not normal.

EAP sessions typically cover tens of request/challenge packets.

You have configured to server to run the LDAP lookups on each packet, as
opposed to just once.

The easiest thing is to do this:

authorize {
  Autz-Type INNER {

...and in the "users" file:

DEFAULT	Freeradius-Proxied-To ==, Autz-Type := INNER

This will match the "inner" packets of the EAP session, and tell the
server to run the Autz-Type sub-block of authorize (containing LDAP)

You may still see 2 lookups, since there may be a request/challenge and
request/accept inside the EAP tunnel, but it's better than 11.

Getting down to 1 lookup requires FreeRadius 2.0 (not currently

> Thanks for your help,
> Nathan
> Nathan P. Hay
> Network Engineer
> Computer Services
> Cedarville University
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list