Re: How to handle EAP/LDAP or files with same server

2006-11-10 Thread Alan DeKok 
Keith Moores <[EMAIL PROTECTED]> wrote:
> I have both of these working with one issuse, MACs that are not in  
> the users file are being sent to LDAP server adding unnecessary load.

  One solution is to recognize MAC's, and NOT look them up in LDAP.
Another is to recognize email addresses, and cause them to be looked
up in LDAP.

> The solution I can think of is to only send user name's that are  
> email addresses to ldap.  Is this something that can be done with a  
> proxy conf and realms?

  No.

  This should work:

#-- users file
DEFAULT User-Name =~ "@", EAP-Message =* 0x00, Autz-Type := email

#---

#--- radiusd.conf
authorize {
 preprocess
 files

 Autz-Type email {
  ldap 
  eap
 }
}
#---

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to handle EAP/LDAP or files with same server

2006-11-10 Thread Keith Moores 
I'm trying to finally rid myself of Cisco ACS with FR 1.1.3 and  
mostly having great success (performance is so much better!) but  
can't seem to figure out how to handle two different types of  
wireless authentication in separate non-overlapping ways.


Case 1 is EAP/TLS where user ID (email address from cleint cert) is  
also looked up via LDAP.


Case 2 is MAC authentication using the users file.

I have both of these working with one issuse, MACs that are not in  
the users file are being sent to LDAP server adding unnecessary load.


authorize {
preprocess
files
ldap {
notfound = return
}
eap
}

The solution I can think of is to only send user name's that are  
email addresses to ldap.  Is this something that can be done with a  
proxy conf and realms?  I'm having trouble understanding if/how those  
can influence the authorize section.


Thanks,
-Keith



Keith Moores 
Network Systems
ITC-Communications and Systems Division
University of Virginia, ITC-2015 Ivy RdPhone  (434) 924-0621
Box 400324, Charlottesville, VA 22904-4324 Fax(434) 982-4715





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html