how to limit the repeating ldap lookups

Matthew Newton mcn4 at
Wed Aug 28 17:49:42 CEST 2013

On Wed, Aug 28, 2013 at 03:46:53PM +0100, Arran Cudbard-Bell wrote:
> > Apparently not; you can apparently run EAP-TLS inside PEAP,
> > which is a new one on me.

Has been running fine here for months. Only real benefit - SoH with

> > For PEAP/MSCHAP, under 2.x the link someone posted to my
> > horrible hack works. Or under 3.x, "eap { ok = return }" in
> > the inner-tunnel also works.
> OK. Just wondering if you could really get it down to a single
> lookup, IIRC you needed the 'known good' NT-Password data for a
> couple of rounds of MSCHAPv2?

Using PEAP/EAP-TLS, we put the LDAP lookup in the TLS virtual
server, where we can lookup the certificate data in LDAP. It hits
once, after the cert has verified, and allows other things to deny
the auth. LDAP is in the example file.

See the sites-available/check-eap-tls file in v3, and the
mods-available/eap file, option "virtual_server" in the "tls"

I backported the patch I wrote to do this to v2 (which is what we
are running); I'm not sure if it made it into the released 2.x
code (I doubt it). It's an easy patch it anyone wants to do it


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list