Here is the result of my first attempt. I added a Pukey-EAP entry in the LDAP tree but it didn't do much good. And I can't tell whats the matter with my CA.
rad_recv: Access-Request packet from host 192.168.0.250:1110, id=8, length=159 User-Name = "Pukey-EAP" Cisco-AVPair = "ssid=Pukey-EAP" NAS-IP-Address = 192.168.0.250 Called-Station-Id = "004096285ceb" Calling-Station-Id = "00095b679ccf" NAS-Identifier = "AP340-285ceb" NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x020d000e0150756b65792d454150 Message-Authenticator = 0xebe4683da315ee95109c4736a19a37cd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for Pukey-EAP radius_xlat: '(uid=Pukey-EAP)' radius_xlat: 'dc=pukey' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=pukey, with filter (uid=Pukey-EAP) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "Pukey-EAP", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "Pukey-EAP" rlm_realm: Proxying request from user Pukey-EAP to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 13 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall[authorize]: module "files" returns notfound for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 8 to 192.168.0.250 port 1110 EAP-Message = 0x010e00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe5a40fabb5846577f6543672d9313801 Finished request 7 Going to the next request Here is my /etc/xsupplicant.conf network_list = all default_netname = Pukey-EAP Pukey-EAP { type = wireless allow_types = eap_peap identity = Pukey-EAP eap-peap { random_file = /dev/urandom root_cert = /etc/raddb/certs/root.pem chunk_size = 1398 allow_types = eap_mschapv2 eap-mschapv2 { username = User password = Password } } } I've created a SSID called Pukey-EAP it requires EAP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html