Authentication using LDAP for 802.1x
Phil Mayers
p.mayers at imperial.ac.uk
Wed Jun 19 17:09:00 CEST 2013
On 19/06/13 15:32, Olivier Beytrison wrote:
> On 19.06.2013 16:02, A.L.M.Buxey at lboro.ac.uk wrote:
>> Hi,
>>
>>> Some other comments -
>>>
>>> Upgrade from 2.1.12 to 2.2.x, as there are security issues pre
>>> 2.2.x.
>>>
>>> Save yourself some round trip packets by setting default_eap_type
>>> = ttls in eap.conf
>>>
>>> Save yourself some LDAP lookups by removing ldap from the outer.
>>
>> ..and save some more hits to LDAP by wrapping the call to it in the
>> authorization stage to just the EAP Identity packet :-)
>
> That's pretty interesting, what's the if() you're doing to achieve that?
He he he... if I recall correctly I came up with something like:
server inner-tunnel {
authorize {
eap
# stop processing authorize on eap identity or mschap success/fail
if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) {
noop
}
else {
# rest of config goes here
}
}
}
Note however that you can avoid this in "master" versions of the server
with:
server inner-tunnel {
authorize {
eap {
ok = return
}
}
}
...as the EAP module was updated to return "ok" on identity/mschap
responses. Yet another reason to upgrade!
More information about the Freeradius-Users
mailing list