Alan, I agree...I should read the docs and the lists more thoroughly.
My AP requires that I enable 802.1x in order to use RADIUS authentication. So, I figured I'd use EAP-TLS. I'm just testing now...using an XP client, so I chose to use EAP-TLS. I want to use LDAP because that's where our userbase is stored (Novell eDirectory). The idea is to authenticate users via LDAP. I'm only using EAP-TLS because the AP won't let me use RADIUS otherwise. Of course, I'm such a newbie that I'm probably getting it all wrong. That's where I was hoping the list would help. If you were given my task, how would you go about implementing this? thanks, mack On 21 Jun 2004 at 11:07, Alan DeKok wrote: > "Mack" <[EMAIL PROTECTED]> wrote: > > I had scanned them prior to posting, but there seem to be no > > solutions to all of the problems people have with this > > configuration. > > From what I can seem you're trying to use EAP-TLS, *and* some kind > of LDAP authorization/authentication, but you're not putting the > usernames used by EAP-TLS into LDAP. > > The solution is simple: > > a) put the usernames into LDAP > b) or, get the clients to use usernames which are in ldap. > > > My impression is that most of the "gurus" on the list are assuming > > WAY too much of some of us newbies. They keep coming back with the > > same replies, like "read the faqs, readme, rfc, etc., etc." > > A significant number of questions on this list are answered in the > FAQ, README, documentation, etc. Those replies are meant to tell > people to stop wasting their time asking questions on the list, when > the answer is already in front of them. > > > But, that begs the question: If that's going to be the reply each > > time, then why even bother with the list in the first place? > > If you would read the list, you would see that most of the questions > involve things which are *not* in the FAQ or README. Those questions > are answered. > > > > > My requirement is to enable 802.1x authentication to the AP's > > > > using EAP/TLS. Additionally, I need to be able to authenticate > > > > the users to Novell via LDAP. > > You can't do this. It's impossible. > > EAP-TLS is an authentication mechanism. LDAP doesn't know about > EAP-TLS, and therefore won't be able to authenticate any EAP-TLS > request. > > > > > The logs keep passing the EAP username (common name from cert) > > > > to ldap and of course ldap spits it out because the object does > > > > not exist. > > Have you tried adding that object to LDAP? I really don't see what > the problem is here. > > > > > Maybe this isn't even possible, but here's what I had hoped to > > > > come away with: the wireless user boots their laptop, then gets > > > > authenticated via eap/tls. > > That will work. > > > > > They then open a browser, and are asked for username and > > > > password (via dialog box?), or either redirected to a login > > > > page. > > By who? The AP won't do this. And since the AP won't do this, > *nothing* will. > > > > > The username and password are then passed to ldap for > > > > authentication. Successful authentication results in the client > > > > being given internet access. Is this possible? > > I doubt it. I also don't understand why you want the user to log in > twice. > > Alan DEKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- > This message has been scanned for viruses and > dangerous content by the CSU Email Gateway, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html