Cisco WLC PEAP/MSCHAPv2 - unnecessary ldap lookups?
A.L.M.Buxey at lboro.ac.uk
Thu Sep 17 21:40:32 CEST 2009
do you want to authorise using the e-directory (authorize is
are they allowed from that NAS at that time etc....)...
surely you only want to authenticate based on the inner EAP details
if you use 2.1.x then you can ensure that EAP methods get thrown
to the inner-tunnel - and have your LDAP authentication in the inner
tunnel - then LDAP is only called when its needed... likewise authorise.
only call LDAP when you really believe the details and need to
likewise, only call a module if you need to - you should be able to
vastly reduce calls to your backend infrastructure (i know we did!)
More information about the Freeradius-Users