how to limit the repeating ldap lookups

Olivier Beytrison olivier at
Wed Aug 28 07:48:38 CEST 2013

On 28.08.2013 00:20, Martin Kraus wrote:
> On Tue, Aug 27, 2013 at 05:20:32PM -0400, Alan DeKok wrote:
>>   Again, look at the debug log to see what's happening.  *WHY* are you
>> doing LDAP lookups at all?  Can you not delay them?
> Hi. I'm using groups to authorize users and pull radius profiles for the users.
> My config is similar to what the default freeradius configuration offers.
>>   And rlm_cache should help a lot, too.
> I'm stuck with 2.1.10 on ubuntu:-(
> Anyway I managed to filter out most of the redundant ldap lookups. the only thing I'm
> stuck with are lookups during TLS negotiation either in the default server for
> EAP-TLS or in the inner-tunnel server for EAP-TTLS/EAP-TLS. The handshake
> takes 8 access-requests and the only way I can see to filter it out is to
> somehow findout if the EAP-Message AVPs contain something to tell me whether
> it's about to be done or not.

I'm just quoting a mail from Phil Mayers a few months ago on this list.
It contains a check that allows to run the checks in authorize only
after the EAP tunnel is established. (Use it only in v2). And remove
ldap from the outer tunnel, you don't need it there anyway.

> ..and save some more hits to LDAP by wrapping the call to it in the
> authorization stage to just the EAP Identity packet

He he he... if I recall correctly I came up with something like:

server inner-tunnel {
  authorize {

    # stop processing authorize on eap identity or mschap success/fail
    if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) {
    else {
      # rest of config goes here

For complete thread :



 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mail: olivier at

More information about the Freeradius-Users mailing list