Re: how to limit the repeating ldap lookups
On 28.08.2013 9:48, Olivier Beytrison wrote: On 28.08.2013 00:20, Martin Kraus wrote: Hi. I'm using groups to authorize users and pull radius profiles for the users. My config is similar to what the default freeradius configuration offers. Why not just call rlm_ldap from inner-tunnel post-auth section? This will ensure it called only once and only if inner-tunnel authentication succeeds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 10:10:32AM +0400, Iliya Peregoudov wrote: On 28.08.2013 9:48, Olivier Beytrison wrote: On 28.08.2013 00:20, Martin Kraus wrote: Hi. I'm using groups to authorize users and pull radius profiles for the users. My config is similar to what the default freeradius configuration offers. Why not just call rlm_ldap from inner-tunnel post-auth section? This will ensure it called only once and only if inner-tunnel authentication succeeds. I used to use mschapv2 for authentication so I had to lookup passwords in the authorize section. I'm not sure what would happen if I moved the lookups to post-auth so I'll need to setup some testing environment for it. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 12:20:12AM +0200, Martin Kraus wrote: I'm stuck with 2.1.10 on ubuntu:-( Without trying to come across as if I'm a stuck record... this is easy to solve. https://lists.freeradius.org/pipermail/freeradius-users/2013-August/067939.html Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 07:48:38AM +0200, Olivier Beytrison wrote:
server inner-tunnel {
authorize {
eap
# stop processing authorize on eap identity or mschap success/fail
if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) {
noop
}
else {
# rest of config goes here
}
}
}
The hack I'm currently using for EAP-TLS based on rfc 5216
# EAP-Message - byte 0 = 2 for EAP-Response
# byte 1 = Identifier
# byte 2-3 = EAP-Message Length including header (for EAP-TLS
minimum 6 bytes)
# byte 4 = EAP-Type, EAP-TLS = 0x0d (13)
# byte 5 = FLAGS (L,M,[SR],R,R,R,R,R)
# byte 6-9 = TLS message length (optional if Flag L set)
# byte 10+ = TLS data
# Empty EAP-Messages are used to acknowledge EAP-Request fragments or are
the last message
# the client sends at the end of TLS handshake signaling the server has
been authenticated
#
# We would like to do ldap lookups only on the last empty EAP-Message -
not really possible
# But we can skip first few empty messages based on the Identifier field if
the client
# starts at 0x01. If not the we'll have to match all the empty EAP-Message
^0x02..00060d00$
# EAP-Response identifier is copied from the EAP-Request, so the starting
point is determined
# by NAS asking for EAP-Identity.
#
# usually 0x01 is the EAP-Identity, 0x02 is NACK to our offered PEAP, 0x03
is the client_hello,
# 0x04-0x06 are the EAP-Response that ack server side of the handshake so
we skip the first 6
# EAP-Response packets from the client. This is a heuristic, might not work
if ( (EAP-Type == EAP-TLS) (EAP-Message !~
/^0x02([1-9a-f].|0[7-9a-f])00060d00$/) ) {
default = return
}
mk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28 Aug 2013, at 14:35, Martin Kraus lists...@wujiman.net wrote:
On Wed, Aug 28, 2013 at 07:48:38AM +0200, Olivier Beytrison wrote:
server inner-tunnel {
authorize {
eap
# stop processing authorize on eap identity or mschap success/fail
if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) {
noop
}
else {
# rest of config goes here
}
}
}
The hack I'm currently using for EAP-TLS based on rfc 5216
# EAP-Message - byte 0 = 2 for EAP-Response
# byte 1 = Identifier
# byte 2-3 = EAP-Message Length including header (for
EAP-TLS minimum 6 bytes)
# byte 4 = EAP-Type, EAP-TLS = 0x0d (13)
# byte 5 = FLAGS (L,M,[SR],R,R,R,R,R)
# byte 6-9 = TLS message length (optional if Flag L set)
# byte 10+ = TLS data
# Empty EAP-Messages are used to acknowledge EAP-Request fragments or are
the last message
# the client sends at the end of TLS handshake signaling the server has
been authenticated
#
# We would like to do ldap lookups only on the last empty EAP-Message -
not really possible
# But we can skip first few empty messages based on the Identifier field
if the client
# starts at 0x01. If not the we'll have to match all the empty EAP-Message
^0x02..00060d00$
# EAP-Response identifier is copied from the EAP-Request, so the starting
point is determined
# by NAS asking for EAP-Identity.
#
# usually 0x01 is the EAP-Identity, 0x02 is NACK to our offered PEAP, 0x03
is the client_hello,
# 0x04-0x06 are the EAP-Response that ack server side of the handshake so
we skip the first 6
# EAP-Response packets from the client. This is a heuristic, might not work
if ( (EAP-Type == EAP-TLS) (EAP-Message !~
/^0x02([1-9a-f].|0[7-9a-f])00060d00$/) ) {
default = return
}
Does anyone have a configuration which gets it down to a single LDAP query for
PEAP?
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28/08/13 14:49, Arran Cudbard-Bell wrote: Does anyone have a configuration which gets it down to a single LDAP query for PEAP? What inner? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote: On 28/08/13 14:49, Arran Cudbard-Bell wrote: Does anyone have a configuration which gets it down to a single LDAP query for PEAP? What inner? MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 03:11:04PM +0100, Arran Cudbard-Bell wrote: On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote: On 28/08/13 14:49, Arran Cudbard-Bell wrote: Does anyone have a configuration which gets it down to a single LDAP query for PEAP? What inner? MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2? and TLS. m. -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28/08/13 15:11, Arran Cudbard-Bell wrote:
On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote:
On 28/08/13 14:49, Arran Cudbard-Bell wrote:
Does anyone have a configuration which gets it down to a single LDAP query for
PEAP?
What inner?
MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2?
Apparently not; you can apparently run EAP-TLS inside PEAP, which is a
new one on me.
For PEAP/MSCHAP, under 2.x the link someone posted to my horrible hack
works. Or under 3.x, eap { ok = return } in the inner-tunnel also works.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28 Aug 2013, at 15:26, Matthew Newton m...@leicester.ac.uk wrote: On Wed, Aug 28, 2013 at 03:11:04PM +0100, Arran Cudbard-Bell wrote: On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote: On 28/08/13 14:49, Arran Cudbard-Bell wrote: Does anyone have a configuration which gets it down to a single LDAP query for PEAP? What inner? MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2? and TLS. Fine, yes, also TLS. But in the wonderful world of Microsoft supplicants PEAP usually specifies PEAP with and MSCHAPv2 inner? and wow did they get rid of the 802.1X profile configuration GUI interface in OSX 10.8? That sucks. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how to limit the repeating ldap lookups
Yes, Alan B had some comments about that IIRC... I think Apple these days expect administrators to use the Apple iPhone Configuration Utility to create a network profile and import that into your 802.1X settings. Bizarre, but there you are. Stefan -Original Message- Fine, yes, also TLS. But in the wonderful world of Microsoft supplicants PEAP usually specifies PEAP with and MSCHAPv2 inner? and wow did they get rid of the 802.1X profile configuration GUI interface in OSX 10.8? That sucks. -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 03:42:08PM +0100, Arran Cudbard-Bell wrote: Fine, yes, also TLS. But in the wonderful world of Microsoft supplicants PEAP usually specifies PEAP with and MSCHAPv2 inner? Windows 7 supports PEAP+TLS. Unline Network Manager on linux distributions. and wow did they get rid of the 802.1X profile configuration GUI interface in OSX 10.8? That sucks. Nope. that profile configuration is still required. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28 Aug 2013, at 15:38, Phil Mayers p.may...@imperial.ac.uk wrote:
On 28/08/13 15:11, Arran Cudbard-Bell wrote:
On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote:
On 28/08/13 14:49, Arran Cudbard-Bell wrote:
Does anyone have a configuration which gets it down to a single LDAP query
for PEAP?
What inner?
MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2?
Apparently not; you can apparently run EAP-TLS inside PEAP, which is a new
one on me.
For PEAP/MSCHAP, under 2.x the link someone posted to my horrible hack works.
Or under 3.x, eap { ok = return } in the inner-tunnel also works.
OK. Just wondering if you could really get it down to a single lookup, IIRC you
needed the 'known good' NT-Password data for a couple of rounds of MSCHAPv2?
-Arran
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(was) RE: how to limit the repeating ldap lookups
Arran wrote: and wow did they get rid of the 802.1X profile configuration GUI interface in OSX 10.8? That sucks. If you think that sucks, wait till you see the horrible things you have to do to generate a .mobileconfig without access to an OSX server license. -- Brian S. Julin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 02:49:32PM +0100, Arran Cudbard-Bell wrote:
Does anyone have a configuration which gets it down to a single LDAP query
for PEAP?
The following is for EAP-TTLS/EAP-TLS and PEAP/EAP-TLS on my setup.
# When EAP-TLS runs in EAP-TTLS tunnel the id starts at 0x00 and we skip the
NACK so we want
# to skip only up to 0x04
# When EAP-TLS runs in PEAP the identifiers don't reset so we need to weed out
more messages
if ((EAP-Type == EAP-TLS) (outer.request:EAP-Type == EAP-TTLS)
(EAP-Message !~ /^0x02([1-9a-f].|0[5-9a-f])00060d00$/)) {
default = return
}
elsif ((EAP-Type == EAP-TLS) (outer.request:EAP-Type == PEAP)
(EAP-Message !~ /^0x02([1-9a-f].|0[d-f])00060d00$/)) {
default = return
}
I found that if I nest ifs then default = return won't skip the authorize
section and putting the tests on multiple lines doesn't work so it is this
ugly:-)
However this really isn't foolproof. I think the identifier is first set by
NAS as it sends eap request for identity so if that starts at something weird
then this will be totaly off. I don't know if any rfc requires the identifier
to start at 0.
Then it depends on the size of the information that server is sending to the
client. That depends on the number of certificates and MTU and fragment size
and who know what else. In my setup with MTU 1500 it fits in 3
Access-Challenge packets and so far it holds.
I've checked wpasupplicant and mac osx and there haven't been any problems so
far though so I'm going to stick with it.
I'll investigate the possibility of using ldap lookups in post-auth but that
means no mschapv2 or any other password based auth.
mk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28/08/13 15:46, Arran Cudbard-Bell wrote: OK. Just wondering if you could really get it down to a single lookup, IIRC you needed the 'known good' NT-Password data for a couple of rounds of MSCHAPv2? Nope, just one. The MSCHAP challenge response arrive at you, you validate them and in turn generate the response2. You might be thinking of the first pass in EAP-MSCHAP, where the client sends EAP-identity and the server sends EAP-MSCHAP challenge, but that's stateless - just a random number. Likewise, the 3rd pass MSCHAP success/fail packet is stateless. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28/08/13 16:00, Martin Kraus wrote: I found that if I nest ifs then default = return won't skip the authorize section and putting the tests on multiple lines doesn't work so it is this ugly:-) Yeah, that's an annoyance of the configurable failover stuff. However this really isn't foolproof. I think the identifier is first set by NAS as it sends eap request for identity so if that starts at something weird then this will be totaly off. I don't know if any rfc requires the identifier to start at 0. It doesn't, and you will see cases where this doesn't happen, so I'm afraid it's not totally robust. If you were to upgrade, you could do this all a lot more cleanly; the TLS virtual server solves the problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 03:46:53PM +0100, Arran Cudbard-Bell wrote:
Apparently not; you can apparently run EAP-TLS inside PEAP,
which is a new one on me.
Has been running fine here for months. Only real benefit - SoH with
EAP-TLS.
For PEAP/MSCHAP, under 2.x the link someone posted to my
horrible hack works. Or under 3.x, eap { ok = return } in
the inner-tunnel also works.
OK. Just wondering if you could really get it down to a single
lookup, IIRC you needed the 'known good' NT-Password data for a
couple of rounds of MSCHAPv2?
Using PEAP/EAP-TLS, we put the LDAP lookup in the TLS virtual
server, where we can lookup the certificate data in LDAP. It hits
once, after the cert has verified, and allows other things to deny
the auth. LDAP is in the example file.
See the sites-available/check-eap-tls file in v3, and the
mods-available/eap file, option virtual_server in the tls
section.
I backported the patch I wrote to do this to v2 (which is what we
are running); I'm not sure if it made it into the released 2.x
code (I doubt it). It's an easy patch it anyone wants to do it
themselves.
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (was) RE: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 03:13:12PM +, Brian Julin wrote: Arran wrote: and wow did they get rid of the 802.1X profile configuration GUI interface in OSX 10.8? That sucks. If you think that sucks, wait till you see the horrible things you have to do to generate a .mobileconfig without access to an OSX server license. http://support.apple.com/kb/DL1466 ? But this is getting a bit off-topic. m. -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 03:46:53PM +0100, Arran Cudbard-Bell wrote:
OK. Just wondering if you could really get it down to a single lookup, IIRC
you needed the 'known good' NT-Password data for a couple of rounds of
MSCHAPv2?
with
if ( (EAP-Type == Identity) || (EAP-Type == NAK) || (EAP-Message =~
/^0x02..00061a..$/) ) {
default = return
}
The only lookup happens on the pass just above the ^EAP-TLS message. Each
^Authorize: line is one Access-Request. The others are Identity, NAK or empty
EAP-Response 0x02..00061a..
Authorize: User=test EAP-Type=Identity Packet-Type=Access-Request Proxy=
VIRT=default
Authorize: User=test EAP-Type=Identity Packet-Type=Access-Request Proxy=LOCAL
VIRT=inner-tunnel
Authorize: User=test EAP-Type=NAK Packet-Type=Access-Request Proxy=LOCAL
VIRT=inner-tunnel
Authorize: User=test EAP-Type=MS-CHAP-V2 Packet-Type=Access-Request Proxy=LOCAL
VIRT=inner-tunnel
EAP-TLS: User=test EAP-Type=MS-CHAP-V2 outer.EAP-Type=PEAP
EAP-Message=0x0209004... Packet-Type=Access-Request Proxy=LOCAL
VIRT=inner-tunnel
Authorize: User=test EAP-Type=MS-CHAP-V2 Packet-Type=Access-Request Proxy=LOCAL
VIRT=inner-tunnel
Post-Auth: User=test EAP-Type=MS-CHAP-V2 EAP-Message=0x030a0004
Packet-Type=Access-Accept, VIRT=inner-tunnel
Post-Auth: User=test EAP-Type=PEAP EAP-Message=0x030b0004
Packet-Type=Access-Accept, VIRT=default
Post-Auth: User=test EAP-Type=PEAP EAP-Message=0x030b0004
Packet-Type=Access-Accept, VIRT=default
mk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 04:49:42PM +0100, Matthew Newton wrote: See the sites-available/check-eap-tls file in v3, and the mods-available/eap file, option virtual_server in the tls section. I backported the patch I wrote to do this to v2 (which is what we are running); I'm not sure if it made it into the released 2.x code (I doubt it). It's an easy patch it anyone wants to do it themselves. I just checked - it's in v2 HEAD. See tls section of eap.conf. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (was) RE: how to limit the repeating ldap lookups
Its been a while since I'Ve used it, but doesn't the iPhone Config Utility generate mobileconfigs that work on OS X? http://support.apple.com/kb/DL1465 Dave Aldwinckle On 2013-08-28 11:13 AM, Brian Julin bju...@clarku.edu wrote: Arran wrote: and wow did they get rid of the 802.1X profile configuration GUI interface in OSX 10.8? That sucks. If you think that sucks, wait till you see the horrible things you have to do to generate a .mobileconfig without access to an OSX server license. -- Brian S. Julin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (was) RE: how to limit the repeating ldap lookups
Hi, If you think that sucks, wait till you see the horrible things you have to do to generate a .mobileconfig without access to an OSX server license. what, download the iPhone Configuration Utility? yes, quite horrible ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: (was) RE: how to limit the repeating ldap lookups
OK, fine since everyone seems to have done this more recently than me, thanks all three of you for the update :-) This is an improvement. Back when I was messing with it IIRC this was only available for server 10.7. The instructions for signing it are easier than I remember them being as well: http://www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html -Original Message- From: freeradius-users-bounces+bjulin=clarku@lists.freeradius.org [mailto:freeradius-users-bounces+bjulin=clarku@lists.freeradius.org] On Behalf Of David Aldwinckle Sent: Wednesday, August 28, 2013 2:32 PM To: FreeRadius users mailing list Subject: Re: (was) RE: how to limit the repeating ldap lookups Its been a while since I'Ve used it, but doesn't the iPhone Config Utility generate mobileconfigs that work on OS X? http://support.apple.com/kb/DL1465 Dave Aldwinckle On 2013-08-28 11:13 AM, Brian Julin bju...@clarku.edu wrote: Arran wrote: and wow did they get rid of the 802.1X profile configuration GUI interface in OSX 10.8? That sucks. If you think that sucks, wait till you see the horrible things you have to do to generate a .mobileconfig without access to an OSX server license. -- Brian S. Julin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
Martin Kraus wrote:
I'm using TTLS+TLS.
Then what are you looking up in ldap?
I can see that the eap { ok = return } automagically skips to the
authentication section but the first two access-requests in the session cause
it to return updated status so the ldap lookups are executed.
I assume there isn't much I can do about that, right?
Sure. You can look at the debug output, see what's different between
packets N and N+1, and use those differences to selectively run ldap.
I then have a separate problem with the inner-tunnel where the inner-eap never
returns ok in the authorization section so it keeps on doing the ldap lookups.
in the session I have it did 9 separate passes which together with the outer
tunnel is 11 ldap passes which in my case is more then 30 ldap lookups for a
single user login.
Again, look at the debug output.
There are also these warnings in inner-tunnel
WARNING:
!!
WARNING: !! EAP session for state 0xfa098d01f80a8033 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!
but the inner tls session seems to be still progressing fine since the last
warning is right before the last access-request which results in the
access-accept for the user.
Read it again. The ONLY time that message is produced is when the EAP
session doesn't finish. There are likely 2-3 failed attempts before one
success. If you only look at the succes...
Is there something I can do about the 9 lookups in the inner-tunnel server?
I'll have a look at the rlm_cache as well but I'm just curious as to why is it
happening.
Because that's what you told it to do. The server is pretty dumb that
way.
Again, look at the debug log to see what's happening. *WHY* are you
doing LDAP lookups at all? Can you not delay them?
And rlm_cache should help a lot, too.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Tue, Aug 27, 2013 at 05:20:32PM -0400, Alan DeKok wrote: Again, look at the debug log to see what's happening. *WHY* are you doing LDAP lookups at all? Can you not delay them? Hi. I'm using groups to authorize users and pull radius profiles for the users. My config is similar to what the default freeradius configuration offers. And rlm_cache should help a lot, too. I'm stuck with 2.1.10 on ubuntu:-( Anyway I managed to filter out most of the redundant ldap lookups. the only thing I'm stuck with are lookups during TLS negotiation either in the default server for EAP-TLS or in the inner-tunnel server for EAP-TTLS/EAP-TLS. The handshake takes 8 access-requests and the only way I can see to filter it out is to somehow findout if the EAP-Message AVPs contain something to tell me whether it's about to be done or not. for EAP-TTLS and PEAP the eap module in authorize section returns ok which jumps out of the authorize section so the eap module in the authentication section can process it. But for EAP-TLS it returns handled so the whole authorize section gets parsed. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28.08.2013 00:20, Martin Kraus wrote:
On Tue, Aug 27, 2013 at 05:20:32PM -0400, Alan DeKok wrote:
Again, look at the debug log to see what's happening. *WHY* are you
doing LDAP lookups at all? Can you not delay them?
Hi. I'm using groups to authorize users and pull radius profiles for the
users.
My config is similar to what the default freeradius configuration offers.
And rlm_cache should help a lot, too.
I'm stuck with 2.1.10 on ubuntu:-(
Anyway I managed to filter out most of the redundant ldap lookups. the only
thing I'm
stuck with are lookups during TLS negotiation either in the default server for
EAP-TLS or in the inner-tunnel server for EAP-TTLS/EAP-TLS. The handshake
takes 8 access-requests and the only way I can see to filter it out is to
somehow findout if the EAP-Message AVPs contain something to tell me whether
it's about to be done or not.
I'm just quoting a mail from Phil Mayers a few months ago on this list.
It contains a check that allows to run the checks in authorize only
after the EAP tunnel is established. (Use it only in v2). And remove
ldap from the outer tunnel, you don't need it there anyway.
-
..and save some more hits to LDAP by wrapping the call to it in the
authorization stage to just the EAP Identity packet
He he he... if I recall correctly I came up with something like:
server inner-tunnel {
authorize {
eap
# stop processing authorize on eap identity or mschap success/fail
if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) {
noop
}
else {
# rest of config goes here
}
}
}
For complete thread :
http://lists.freeradius.org/pipermail/freeradius-users/2013-June/067100.html
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 26 Aug 2013, at 14:33, Martin Kraus lists...@wujiman.net wrote: Hi. Is it possible to limit the repeating ldap lookups that happen during mschap and tls negotiations? Like having an attribute that I could test for which would tell me that the negotiation is completed? If you list the ldap module after the eap module in the default configuration then the default config already does this. You may also want to consider using the rlm_cache module. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Mon, Aug 26, 2013 at 02:45:29PM +0100, Arran Cudbard-Bell wrote:
Is it possible to limit the repeating ldap lookups that happen during mschap
and tls negotiations? Like having an attribute that I could test for which
would tell me that the negotiation is completed?
If you list the ldap module after the eap module in the default configuration
then the default config already does this.
You may also want to consider using the rlm_cache module.
I'm using TTLS+TLS.
I can see that the eap { ok = return } automagically skips to the
authentication section but the first two access-requests in the session cause
it to return updated status so the ldap lookups are executed.
I assume there isn't much I can do about that, right?
I then have a separate problem with the inner-tunnel where the inner-eap never
returns ok in the authorization section so it keeps on doing the ldap lookups.
in the session I have it did 9 separate passes which together with the outer
tunnel is 11 ldap passes which in my case is more then 30 ldap lookups for a
single user login.
There are also these warnings in inner-tunnel
WARNING: !!
WARNING: !! EAP session for state 0xfa098d01f80a8033 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!
but the inner tls session seems to be still progressing fine since the last
warning is right before the last access-request which results in the
access-accept for the user.
Is there something I can do about the 9 lookups in the inner-tunnel server?
I'll have a look at the rlm_cache as well but I'm just curious as to why is it
happening.
thanks
Martin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
