Erik Karlsson wrote: > I am trying to set up a simple Wlan-authentication using EAP-TTLS to > avoid client certificates and PAM to use the server system > authentication scheme. PAM doesn't know about users, and the users are > situated in a LDAP database, which I think makes it logical to use > rlm_ldap for authorization. I.e. I just want to check that users exist > in LDAP and then move on to checking the password against PAM.
Why not also get the passwords from ldap? Why use PAM at all? > The problem is that PAM is never used. This seems to be an artifact of > the fact that rlm_ldap is supposed to fetch a "known good" password, but > I don't have passwords in the LDAP database. rlm_ldap is indeed > successful in authorizing, but there is no Auth-Type set to handle the > authentication. If you want to use PAM, you have to force it via Auth-Type. > If I for example force Auth-Type to PAM in the users file (not good, I > know), TTLS-negotiation is never run. Because TTLS involves *two* authentication sessions. An outer one for EAP-TTLS, and an inner "tunneled" session where the real user-name && password is sent. Follow my web site (deployingradius.com) to get EAP-TTLS working. Once that's working, add LDAP authorization. Then, add PAM to the *inner* tunnel section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html