Can we do sql just once during eap-tls handshake

Johan F2 johan.finnved at stek.se
Thu Mar 5 13:32:52 CET 2009


Thanks Phil,
I have tried that but regrettably it does not work.
According to my logs eap returns "updated" every round when doing authorize.
(During the authenticate stage eap returns "handled" except the last round
where it returns "ok")

The comment preceeding eap in the default config says:
	#  As of 2.0, the EAP module returns "ok" in the authorize stage
	#  for TTLS and PEAP.  In 1.x, it never returned "ok" here, so
so there is no promise about any improvement when doing EAP-TLS .

Sorry about the ...mangling the default config without understanding...
I am porting an existing config (by someone else) from 1.x so I missed that.
I did examine the log checking the return values from eap though.
/Johan


Phil Mayers wrote:
> 
> Johan F2 wrote:
>> We are using eap-tls for authetication assisted with a database for
>> filling
>> in some attributes.
>> 
>> FreeRADIUS Version 2.1.3 with minimal configuration will do a sql lookup
>> for
>> each round.
>> (Four selects: radcheck, radusergroup, radgroupcheck and radgroupreply).
>> There are 6-9 rounds depending on certificate chain sizes.
>> 
>> Obviously performance would be better with only one database lookup.
>> 
>> Part of the (attempted) configuration:
>> 	authorize {
>> 		preprocess
>> 
>> 		eap
>> 		if (I have tried some conditions here) {
> 
> The default FR 2.0 config has:
> 
> authorize {
>    eap {
>     ok = return
>    }
> }
> 
> ...which will do what you want. As always, mangling the default config 
> without understanding why it does what it does is a bad idea.
> 

-- 
View this message in context: http://www.nabble.com/Can-we-do-sql-just-once-during-eap-tls-handshake-tp22335348p22350726.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.




More information about the Freeradius-Users mailing list