Cisco WLC PEAP/MSCHAPv2 - unnecessary ldap lookups?
Ivan Kalik
tnt at kalik.net
Thu Jun 18 10:45:56 CEST 2009
> I have a functional question about freeradius and the ldap lookups. We
> currently run cisco wlc440x with WPA2-AES-PEAP-MSCHAPv2 against
> freeradius, and it is taking a while to authenticate - roughly 35 seconds.
> It seems most of this is being chewed up by our slow ldap lookups (about
> 4-6 seconds each, this is an ldap server issue), in combination with the
> number of ldap lookups freeradius does per session (5-6). Is it normal
> for the freeradius server to perform this many ldap lookups, or do I have
> a configuration error? It seems like it does ldap calls each time it
> receives an access-request from an access-challenge.
It doesn't. It does it first two times while eap type is established and
then for inner tunnel requests.
> I've played with the
> controller auth timeouts, it doesn't seem to make a difference. Here is
> the debug output from a single session:
You can change default eap type in eap.conf to peap (it's mschav2 now;
leave mschapv2 in peap section) and loose the first exchange.
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list