I have a freeradius server configured to do both EAP-TLS and LDAP auth. It works great so far. If I have a cert. configured, then I'm authenticated with the cert. If I don't have a cert then I get prompted for my un/pw on my NAS's Captive Portal page, which then passes my username/password on to the Radius server which then checks my LDAP server if my un/pw are correct.
When I look through the debug logs, however, I see that the rlm_ldap module is doing an LDAP search for my username during each stage of the EAP session. Is there a way to configure freeradius so that it won't try LDAP auth in the middle of an EAP session? Here's my radiusd.conf: prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib pidfile = ${run_dir}/radiusd.pid user = radius group = radius max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 8192 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = yes log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = after lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 0 status_server = yes } proxy_requests = no $INCLUDE ${confdir}/clients.conf snmp = no thread pool { start_servers = 10 max_servers = 128 min_spare_servers = 3 max_spare_servers = 20 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP } ldap { server = "ldap.mycompany.com" basedn = "ou=people,dc=mycompany,dc=com" filter = "(&(accountInstance=wireless)(uid=%{Stripped-User-Name:-%{User-Name}}))" start_tls = yes dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 25 timeout = 10 timelimit = 10 net_timeout = 1 access_attr_used_for_allow = yes } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { expr } authorize { preprocess mschap eap files ldap } authenticate { Auth-Type MS-CHAP { mschap } eap Auth-Type LDAP { ldap } } preacct { preprocess acct_unique files } accounting { } session { } post-auth { } pre-proxy { } post-proxy { } Here's my eap.conf: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } tls { private_key_password = private_key_file = /etc/raddb/certs/mycompany.com.key certificate_file = /etc/raddb/certs/mycompany.com.crt CA_path = /etc/raddb/certs dh_file = /etc/raddb/certs/dh random_file = /etc/raddb/certs/random fragment_size = 1024 include_length = yes check_crl = yes } ttls { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no } peap { default_eap_type = mschapv2 } mschapv2 { } }
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html