On 19/06/13 15:32, Olivier Beytrison wrote:
On 19.06.2013 16:02, [email protected] wrote:
Hi,
Some other comments -
Upgrade from 2.1.12 to 2.2.x, as there are security issues pre
2.2.x.
Save yourself some round trip packets by setting default_eap_type
= ttls in eap.conf
Save yourself some LDAP lookups by removing ldap from the outer.
..and save some more hits to LDAP by wrapping the call to it in the
authorization stage to just the EAP Identity packet :-)
That's pretty interesting, what's the if() you're doing to achieve that?
He he he... if I recall correctly I came up with something like:
server inner-tunnel {
authorize {
eap
# stop processing authorize on eap identity or mschap success/fail
if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) {
noop
}
else {
# rest of config goes here
}
}
}
Note however that you can avoid this in "master" versions of the server
with:
server inner-tunnel {
authorize {
eap {
ok = return
}
}
}
...as the EAP module was updated to return "ok" on identity/mschap
responses. Yet another reason to upgrade!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
