"Mack" <[EMAIL PROTECTED]> wrote: > I had scanned them prior to posting, but there seem to be no solutions > to all of the problems people have with this configuration.
From what I can seem you're trying to use EAP-TLS, *and* some kind of LDAP authorization/authentication, but you're not putting the usernames used by EAP-TLS into LDAP. The solution is simple: a) put the usernames into LDAP b) or, get the clients to use usernames which are in ldap. > My impression is that most of the "gurus" on the list are assuming > WAY too much of some of us newbies. They keep coming back with the > same replies, like "read the faqs, readme, rfc, etc., etc." A significant number of questions on this list are answered in the FAQ, README, documentation, etc. Those replies are meant to tell people to stop wasting their time asking questions on the list, when the answer is already in front of them. > But, that begs the question: If that's going to be the reply each > time, then why even bother with the list in the first place? If you would read the list, you would see that most of the questions involve things which are *not* in the FAQ or README. Those questions are answered. > > > My requirement is to enable 802.1x authentication to the AP's > > > using EAP/TLS. Additionally, I need to be able to authenticate > > > the users to Novell via LDAP. You can't do this. It's impossible. EAP-TLS is an authentication mechanism. LDAP doesn't know about EAP-TLS, and therefore won't be able to authenticate any EAP-TLS request. > > > The logs keep passing the EAP username (common name from cert) > > > to ldap and of course ldap spits it out because the object does > > > not exist. Have you tried adding that object to LDAP? I really don't see what the problem is here. > > > Maybe this isn't even possible, but here's what I had hoped to > > > come away with: the wireless user boots their laptop, then gets > > > authenticated via eap/tls. That will work. > > > They then open a browser, and are asked for username and > > > password (via dialog box?), or either redirected to a login > > > page. By who? The AP won't do this. And since the AP won't do this, *nothing* will. > > > The username and password are then passed to ldap for > > > authentication. Successful authentication results in the client > > > being given internet access. Is this possible? I doubt it. I also don't understand why you want the user to log in twice. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
