Re: using EAP with rlm_sql

[Dave Mason]

Wow - that should do the trick.  I've been working with EAP/SIM for a 
while, and forgot that other EAP types may want to check the database 
for a password.  SIM doesnt need that, so I'll try the configurable 
failover.  It would be really cool if I can have the failover decision 
based on the EAP type, but I suspect that may not be possible.  As long 
as we only use SIM that won't be necessary.

Thanks,
Dave
Alan DeKok wrote:

Dave Mason <[EMAIL PROTECTED]> wrote:
 

For an EAP authentication, the authorize block modcall calls 
eap_authorize, which returns "updated."  However, rlm_sql runs and 
searches the database for the EAP user, which isnt there.  Everything 
works, but the database hit is unnecessary.  Is there something I can do 
to prevent that?
   

 The database hit is usually necessary, in order to discover what
username/password to use.  The control flow goes like:
 rlm_eap discovers EAP in the request, marks it as "Auth-Type EAP"

 rlm_sql discovers user "bob" has password "bob", and adds the password
 to the config items for the request
 rlm_eap authenticates user "bob", using password "bob", to do
EAP-MD5, etc.
 If you don't need the database hit, see
'doc/configurable_failover'.  Have the SQL module run only if EAP
returns "noop"
 Alan DeKok.

 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html