Ok, I skimmed through the mailing list notes last night (mostly via Google) and found a number of notes that said it was only possible to do EAP authentications against an LDAP server if the server has either cleartext passwords or NT hashes in it. Some of those notes were very old and the ldap_howto.txt doc is also rather old with no reference of 802.1x, so I'm hoping to get an updated answer.
My LDAP choices are the AD domain controllers and our iPlanet LDAP servers - the iPlanet servers have crypted passwords and no NT hash info, so I believe they're out of this(?) The AD LDAP might have a way for me to make use of PEAP or TTLS, but I'm running into a bit of trouble with the user binding at this time. I'm back to reading, but figured I'd include my AD/LDAP config just in case someone sees something blindingly wrong with it. andrew. :radiusd.conf: ldap { server = "domaincon.test.drexel.edu" basedn = "dc=drexel,dc=edu" filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } :eap.conf: tls { # private_key_password = whatever private_key_file = ${raddbdir}/certs/keycert.pem certificate_file = ${raddbdir}/certs/keycert.pem CA_file = ${raddbdir}/certs/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes copy_request_to_tunnel = no use_tunneled_reply = no } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } peap { default_eap_type = mschapv2 } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html