I'm trying to use freeradius with EAP-TTLS and multiple ldap setting. Multiple ldap settings because each of them is looking on a different access attribute and profile dn attribute. I want to select one of the ldap sources for the huntgroup used for wireless clients, the other one for the wired clients huntgroup.
As I understood it right, this should work when I set my authorize section to:
preprocess
files
Autz-Type wiredLDAP {
wiredLDAP
}
eapIn my users file I have:
DEFAULT Service-Type == Framed-User, Huntgroup-Name == "dot1xWired", \
Autz-Type := wiredLDAP
NAS-Port-Type = Ethernet,
Fall-Through = NoSo I thought the request will be go through the authorize section, first preprocessing the huntgroups, then selecting the DEFAULT entry in the users file, adding Autz-Type as check-items and selecting the appropriate Autz-Type based on that item.
However, this doesn't work when I'm using TTLS, where it works only when I have an authorize section like this:
preprocess files wiredLDAP eap
I think it might have something to do with the eap-ttls module proxying the request back to the localhost, now using the requestitems from inside the tunnel. If the ldap section gets executed in any case (as in the second auth section) it works just fine. When I'm using the first auth section, I get a "no Auth-Type found for this request" error, because no ldap section was processed.
Has anyone encountered problems like this? Is this a bug/not available feature or just a stupid misconfiguration?
Regards, Arne
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
