Cisco WLC PEAP/MSCHAPv2 - unnecessary ldap lookups?

Alexander Clouter alex at digriz.org.uk
Fri Sep 18 09:50:42 CEST 2009 

Brian Wilson <briw111 at yahoo.com> wrote:
> 
> I will need to do some more research on inner-tunnels, as i'm not too 
> familiar with them.  How would I add the ldap components?  as part of 
> the peap module itself?   All the documentation i've found on LDAP 
> requires the ldap modules to be referenced in both the authorize and 
> authentication sections directly.  It would be useful to see some more 
> examples.
>
Looking below the problem in not removing the LDAP lookups but speeding 
them up.  I would strongly recommend you speak to the LDAP administrator 
and tell them to index 'cn' and 'objectclass'.  As you are using 
eDirectory I would normally guess 

So the alternative plan of action is look at your use object classes and 
make your searches more specific, I use something like:

(&(objectClass=Person)(cn=%{%{Stripped-User-Name}:-%{User-Name}}))
 
As you are querying eDirectory there will be *lots* of objects in there 
that are not actual users.  You use 'objectClass' to only search for 
*real* people (stripping out file shares, files, workstations, printers, 
etc etc) and then you hunt for the username.

By using "ldapsearch -LLL -x -h ldap.example.com '<query>'" you will be 
able to work out what is fast and what is slow against your directory.

As you are using eDirectory I assume you work in academica, I *strongly* 
recommend you force people to enter in their realm with their username 
(for example bob at example.edu) from the start...other wise you are going 
to be kicking yourself when you look to things like 'eduroam'[1].

Cheers

[1] your users will roam to other universities to find their credentials 
	do not work as they are presenting themselves as 'bob' rather 
	than 'bob at example.edu' and so their request is rejected.  The 
	solution is to reject realmless logins even locally as your
	helpdesk will refuse to listen unless when they do does not work

-- 
Alexander Clouter
.sigmonster says: There's no time like the pleasant.

More information about the Freeradius-Users mailing list