LDAP authorize for both EAP-TLS and EAP-PEAP
David Hartburn
D.J.Hartburn at kent.ac.uk
Fri Dec 18 12:12:52 CET 2015
Hi,
We are using LDAP to check for group membership, so we need the lookup
to do that authorization.
I need something like
updated = return (all but once)
That is not valid syntax ;)
Dave
On 17/12/15 18:28, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>>
>> In my site config, I do:
>> eap {
>> ok = return
>> }
>> -ldap
>>
>> This works great for PEAP, as the eap module returns and ok, then
>> the LDAP lookup is performed in the inner tunnel, once only.
>>
>> However when a certificate based client associates with EAP-PEAP,
>> the eap module returns 'updated' and the ldap check is performed for
>> each packet. I have updated the ldap line to be:
>
> how are you doing policies on EAP-TLS clients? some people use ldap for
> looking up memberships/groups etc - hence the fall-through is fine
> for default.... but not for your use case.
>
> if you dont want ldap to be processed...and the module returns 'updated'
> then maybe
>
> eap {
> ok = return
> updated = return
> }
> -ldap
>
> (dont forget, EAP-TLS wont go into inner-tunnel)
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list