Cisco WLC PEAP/MSCHAPv2 - unnecessary ldap lookups?

Ivan Kalik tnt at
Thu Jun 18 10:45:56 CEST 2009

> I have a functional question about freeradius and the ldap lookups.  We
> currently run cisco wlc440x with WPA2-AES-PEAP-MSCHAPv2 against
> freeradius, and it is taking a while to authenticate - roughly 35 seconds.
>  It seems most of this is being chewed up by our slow ldap lookups (about
> 4-6 seconds each, this is an ldap server issue), in combination with the
> number of ldap lookups freeradius does per session (5-6).  Is it normal
> for the freeradius server to perform this many ldap lookups, or do I have
> a configuration error?  It seems like it does ldap calls each time it
> receives an access-request from an access-challenge.

It doesn't. It does it first two times while eap type is established and
then for inner tunnel requests.

> I've played with the
> controller auth timeouts, it doesn't seem to make a difference.  Here is
> the debug output from a single session:

You can change default eap type in eap.conf to peap (it's mschav2 now;
leave mschapv2 in peap section) and loose the first exchange.

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list