On Wed, Aug 28, 2013 at 02:49:32PM +0100, Arran Cudbard-Bell wrote: > Does anyone have a configuration which gets it down to a single LDAP query > for PEAP?
The following is for EAP-TTLS/EAP-TLS and PEAP/EAP-TLS on my setup. # When EAP-TLS runs in EAP-TTLS tunnel the id starts at 0x00 and we skip the NACK so we want # to skip only up to 0x04 # When EAP-TLS runs in PEAP the identifiers don't reset so we need to weed out more messages if ((EAP-Type == EAP-TLS) && (outer.request:EAP-Type == EAP-TTLS) && (EAP-Message !~ /^0x02([1-9a-f].|0[5-9a-f])00060d00$/)) { default = return } elsif ((EAP-Type == EAP-TLS) && (outer.request:EAP-Type == PEAP) && (EAP-Message !~ /^0x02([1-9a-f].|0[d-f])00060d00$/)) { default = return } I found that if I nest ifs then default = return won't skip the authorize section and putting the tests on multiple lines doesn't work so it is this ugly:-) However this really isn't foolproof. I think the identifier is first set by NAS as it sends eap request for identity so if that starts at something weird then this will be totaly off. I don't know if any rfc requires the identifier to start at 0. Then it depends on the size of the information that server is sending to the client. That depends on the number of certificates and MTU and fragment size and who know what else. In my setup with MTU 1500 it fits in 3 Access-Challenge packets and so far it holds. I've checked wpasupplicant and mac osx and there haven't been any problems so far though so I'm going to stick with it. I'll investigate the possibility of using ldap lookups in post-auth but that means no mschapv2 or any other password based auth. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html