We are using eap-tls for authetication assisted with a database for filling in some attributes.
FreeRADIUS Version 2.1.3 with minimal configuration will do a sql lookup for each round. (Four selects: radcheck, radusergroup, radgroupcheck and radgroupreply). There are 6-9 rounds depending on certificate chain sizes. Obviously performance would be better with only one database lookup. Part of the (attempted) configuration: authorize { preprocess eap if (I have tried some conditions here) { sql if (notfound) { fail } } } authenticate { eap } Is there som nice condition that will result in only one lookup in the database? A thing that complicates thing is that TLS (that declares Success I beleive) is run during authenticate which is later the the attempted database lookup. The TLS outcome is pretty well known in the second last round: There are logs saying [tls] (other): SSL negotiation finished successfully SSL Connection Established but there is still one Access-Challange. So if this fact could be tested in the last round that test would be a nice candidate for doing the sql update. As an aside: Is there a way to really inspect the client certificate (preferrably the entire chain) and let it affect some logic (in perl as an example)? -- View this message in context: http://www.nabble.com/Can-we-do-sql-just-once-during-eap-tls-handshake-tp22335348p22335348.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html