Configuring LDAP lookups for EAP and inner-tunnel

Jeffrey Collyer jwc3f at virginia.edu
Thu Sep 23 18:59:53 CEST 2010



On 9/17/10 11:09 AM, Alan DeKok wrote:
> Jeffrey Collyer wrote:

>> Could someone give me a pointer/hint as to how to configure eap/ldap to
>> cut down on the number of ldap queries.  Any help greatly appreciated.
>
>    The default configuration does *not* do LDAP lookups.  So... use the
> default config, and then enable LDAP lookups in the "inner-tunnel".
>

setup information that I failed to explain properly the first time :
freeradius 2.1.7 is used to
authenticate wireless users with eap-tls with the users authorization to 
connect being the cn of the certificates they have on their client. 
That cn is checked against ldap for an attirbute 'wirelessAccess'.
(and I know that the certs outer identity can be set to anything, but 
for this test its valid on the connecting machine.)

I started with a default configuation and added ldap to it in the 
sites-enabled/default file's authorize section.  And it worked 
authenticating the client, but with many (about a dozen) ldap lookups.

I then moved the ldap line over to the sites-enabled/inner-tunnel file 
and removed it from default.  The configuration would run, but would not 
validate against ldap.

Then I realized that the 'tls' section of the modules/eap.conf file 
doesn't have a virtual_server directive, but even after putting that in 
the 'tls' section, its still doesn't run an ldap query when I try to 
authenticate.


So my assumption is that the eap module doesn't use the inner tunnel for 
tls.


If this is not the case, then I can certainly provide the debug output 
from 'freeradius -X', but I don't want to waste the bits if my 
assumption is true.

Thanks
Jeff






More information about the Freeradius-Users mailing list