Re: FreeRadius/LDAP conf : little problem

[Paul Bender]

Grant, Alastair Ian wrote:
Paul,
  How is your radiusd.conf configured for authorization and authentication?  Which
modules have to be enabled where?  Also, how is your eap settings configured?  If you
don't mind sending snippets from the files, that would probabyl be easiest.  Thanks!
-Al
I have attached the important snippets from my radiusd.conf file and my 
eap.conf file. The only difference from my actual files are the LDAP 
bind password with <secret> and the comments have been removed.

The only  methods that I have configured are eap, mschap and ldap. 
Within eap, the only methods I have configured are tls, ttls, peap and 
mschapv2.

I bind to the LDAP server using an identity+password since one of the 
attributes I read (triggered by the ldap.attrmap file) is the 
sambaNTPassword (mapped to NT-Password by the ldap.attrmap file). This 
attribute is used for mschap authentication.

----- begin radiusd.conf snippets -----
modules {
$INCLUDE ${confdir}/eap.conf
        mschap {
                authtype = MS-CHAP
        }
        ldap {
                server = "ldap.private"
                start_tls = yes
                tls_cacertfile = /etc/certs/ca-bender.crt
                tls_randfile = /var/urandom
                tls_require_cert = "demand"
                identity = "uid=_radiusd_,ou=users,dc=private"
                password = "<secret>"
                basedn = "dc=private"
                filter = 
"(&(objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"
                groupname_attribute = cn
                groupmembership_filter = 
"(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))"
        }
}
authorize {
        preprocess
        mschap
        suffix
        ntdomain
        eap
        files
        ldap
}
authenticate {
        Auth-Type MS-CHAP {
                mschap
        }
        Auth-Type LDAP {
                ldap
        }
        eap
}

----- end radiusd.conf snippets -----
----- begin eap.conf -----
        eap {
                default_eap_type = ttls
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                tls {
                        private_key_file = 
${sysconfdir}/certs/radius.private.pem
                        certificate_file = 
${sysconfdir}/certs/radius.private.crt
                        CA_file = ${sysconfdir}/certs/ca-bender.crt
                        dh_file = ${raddbdir}/certs/dh
                        random_file = ${raddbdir}/certs/random
                }
                ttls {
                        default_eap_type = md5
                }
                peap {
                        default_eap_type = mschapv2
                }
                mschapv2 {
                }
        }

----- end eap.conf -----
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html