Martin Pauly wrote: > I have 2.1.6 and things basically work. But I just came across a > question about the processing of outer/inner identity: > > As I understand it, in case of a non-EAP RADIUS request (eg from my old > modem servers), there is no tunnel and hence no inner identity. > ==> Autz and Auth are done by the default virtual server and governed by > the settings in radiusd.conf and sites-available/default -- right?
Yes. > In case of an EAP request (we do EAP-TTLS and PEAP-MSCHAPv2), the outer > identity is simply used as a dummy during Tunnel setup > (Our EAP Clients use [email protected] as outer identity). Yes. > Nonetheless, freeradius does an LDAP request during Authorization > which, of course, fails with 'notfound'. Because that's what you configured... > freeradius then happily > proceeds to do the real authentication with inner-tunnel. > Now I wonder how to avoid that extra LDAP query. $ man unlang There's an entire policy language to define rules. Replace the "ldap123" line in the "authorize" seciton with: if (!EAP-Message) { ldap123 } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
