Configuring LDAP lookups for EAP and inner-tunnel
Jeffrey Collyer
jwc3f at virginia.edu
Thu Sep 23 18:59:53 CEST 2010
On 9/17/10 11:09 AM, Alan DeKok wrote:
> Jeffrey Collyer wrote:
>> Could someone give me a pointer/hint as to how to configure eap/ldap to
>> cut down on the number of ldap queries. Any help greatly appreciated.
>
> The default configuration does *not* do LDAP lookups. So... use the
> default config, and then enable LDAP lookups in the "inner-tunnel".
>
setup information that I failed to explain properly the first time :
freeradius 2.1.7 is used to
authenticate wireless users with eap-tls with the users authorization to
connect being the cn of the certificates they have on their client.
That cn is checked against ldap for an attirbute 'wirelessAccess'.
(and I know that the certs outer identity can be set to anything, but
for this test its valid on the connecting machine.)
I started with a default configuation and added ldap to it in the
sites-enabled/default file's authorize section. And it worked
authenticating the client, but with many (about a dozen) ldap lookups.
I then moved the ldap line over to the sites-enabled/inner-tunnel file
and removed it from default. The configuration would run, but would not
validate against ldap.
Then I realized that the 'tls' section of the modules/eap.conf file
doesn't have a virtual_server directive, but even after putting that in
the 'tls' section, its still doesn't run an ldap query when I try to
authenticate.
So my assumption is that the eap module doesn't use the inner tunnel for
tls.
If this is not the case, then I can certainly provide the debug output
from 'freeradius -X', but I don't want to waste the bits if my
assumption is true.
Thanks
Jeff
More information about the Freeradius-Users
mailing list