Cisco WLC PEAP/MSCHAPv2 - unnecessary ldap lookups?
Brian Wilson
briw111 at yahoo.com
Sat Sep 19 00:39:18 CEST 2009
When I did the upgrade I had just copied-pasted my old configuration and it worked without issue, so I completely missed the inner-tunnel.
Making those changes helped alot and reduced the LDAP calls to 3 - Thanks!! I would like to drop this further, as it seems that 2 of them are from the authorize section. I can't seem to remove it from the authorize section, though, as doing so pisses off mschap (can't find NT-password) and removing mschap pisses off FR (no auth-type defined). Also, I use a LDAP huntgroup, where users in an LDAP group are allowed to attached to a special SSID, which i think is part of the authorization process....
So here is my new configuration, perhaps someone can spot something i'm missing? (tried looking through documentation, can't seem to find my error).
default file:
authorize {
preprocess
auth_log
mschap
suffix
ntdomain
eap {
ok = return
}
files {
notfound = reject
noop = reject
fail = reject
}
expiration
logintime
}
authenticate {
eap
}
and inner-tunnel:
authorize {
unix
suffix
ntdomain
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
redundant-load-balance {
LDAPsvr1
LDAPsvr2
}
expiration
logintime
}
authenticate {
Auth-Type LDAP {
redundant-load-balance {
LDAPsvr1
LDAPsvr2
}
}
unix
eap
}
>Hi,
>> I will need to do some more research on inner-tunnels, as i'm not too familiar with them. How would I add the ldap components? as >part of the peap module itself?
>
>no - you simply configure the required part of the inner-tunnel virtual server - inner-tunnel
>virtual server gets called as part of the EAP config - and _only_ as part of EAP with default config - check the default raddb config
>alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090918/79eb24d1/attachment.html>
More information about the Freeradius-Users
mailing list