how to limit the repeating ldap lookups

Wed Aug 28 17:00:29 CEST 2013

On Wed, Aug 28, 2013 at 02:49:32PM +0100, Arran Cudbard-Bell wrote:
> Does anyone have a configuration which gets it down to a single LDAP query for PEAP?

The following is for EAP-TTLS/EAP-TLS and PEAP/EAP-TLS on my setup. 

# When EAP-TLS runs in EAP-TTLS tunnel the id starts at 0x00 and we skip the NACK so we want
# to skip only up to 0x04 
# When EAP-TLS runs in PEAP the identifiers don't reset so we need to weed out more messages
if ((EAP-Type == EAP-TLS) && (outer.request:EAP-Type == EAP-TTLS) && (EAP-Message !~ /^0x02([1-9a-f].|0[5-9a-f])00060d00$/)) {
     default = return
}
elsif ((EAP-Type == EAP-TLS) && (outer.request:EAP-Type == PEAP) && (EAP-Message !~ /^0x02([1-9a-f].|0[d-f])00060d00$/)) {
     default = return
}

I found that if I nest ifs then default = return won't skip the authorize
section and putting the tests on multiple lines doesn't work so it is this
ugly:-)

However this really isn't foolproof. I think the identifier is first set by
NAS as it sends eap request for identity so if that starts at something weird
then this will be totaly off. I don't know if any rfc requires the identifier
to start at 0.

Then it depends on the size of the information that server is sending to the
client. That depends on the number of certificates and MTU and fragment size
and who know what else. In my setup with MTU 1500 it fits in 3
Access-Challenge packets and so far it holds. 

I've checked wpasupplicant and mac osx and there haven't been any problems so
far though so I'm going to stick with it.

I'll investigate the possibility of using ldap lookups in post-auth but that
means no mschapv2 or any other password based auth.

mk