how to limit the repeating ldap lookups

Martin Kraus lists_mk at wujiman.net
Wed Aug 28 18:36:23 CEST 2013


On Wed, Aug 28, 2013 at 03:46:53PM +0100, Arran Cudbard-Bell wrote:
> OK. Just wondering if you could really get it down to a single lookup, IIRC you needed the 'known good' NT-Password data for a couple of rounds of MSCHAPv2?

with

if ( (EAP-Type == Identity) || (EAP-Type == NAK) || (EAP-Message =~ /^0x02..00061a..$/) ) {
    default = return
}

The only lookup happens on the pass just above the ^EAP-TLS message. Each
^Authorize: line is one Access-Request. The others are Identity, NAK or empty
EAP-Response 0x02..00061a..

Authorize: User=test EAP-Type=Identity Packet-Type=Access-Request Proxy= VIRT=default
Authorize: User=test EAP-Type=Identity Packet-Type=Access-Request Proxy=LOCAL VIRT=inner-tunnel
Authorize: User=test EAP-Type=NAK Packet-Type=Access-Request Proxy=LOCAL VIRT=inner-tunnel
Authorize: User=test EAP-Type=MS-CHAP-V2 Packet-Type=Access-Request Proxy=LOCAL VIRT=inner-tunnel
EAP-TLS: User=test EAP-Type=MS-CHAP-V2 outer.EAP-Type=PEAP EAP-Message=0x0209004... Packet-Type=Access-Request Proxy=LOCAL VIRT=inner-tunnel
Authorize: User=test EAP-Type=MS-CHAP-V2 Packet-Type=Access-Request Proxy=LOCAL VIRT=inner-tunnel
Post-Auth: User=test EAP-Type=MS-CHAP-V2 EAP-Message=0x030a0004 Packet-Type=Access-Accept, VIRT=inner-tunnel
Post-Auth: User=test EAP-Type=PEAP EAP-Message=0x030b0004 Packet-Type=Access-Accept, VIRT=default
Post-Auth: User=test EAP-Type=PEAP EAP-Message=0x030b0004 Packet-Type=Access-Accept, VIRT=default

mk


More information about the Freeradius-Users mailing list