Re: openlap wireless (WPA-radius with PEAP auth on client) problem

2004-11-04 Thread Daniel Davidson
That did it, thanks everyone,

Dan


On Thu, 2004-11-04 at 12:49, Alan DeKok wrote:
> > I uncommented and did appropriate changes (below) to the ldap section of
> > the modules area.  What else needs done?  I am deleting the commented
> > lines.
> 
>   Un-comment other references to ldap in radiusd.conf.
> 
>   At least in the "authorize" section.
> 
>   Alan DeKok.
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: openlap wireless (WPA-radius with PEAP auth on client) problem

2004-11-04 Thread Alan DeKok
> I uncommented and did appropriate changes (below) to the ldap section of
> the modules area.  What else needs done?  I am deleting the commented
> lines.

  Un-comment other references to ldap in radiusd.conf.

  At least in the "authorize" section.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: openlap wireless (WPA-radius with PEAP auth on client) problem

2004-11-04 Thread Daniel Davidson
I uncommented and did appropriate changes (below) to the ldap section of
the modules area.  What else needs done?  I am deleting the commented
lines.

Dan

ldap {
server = "lap server's real name"
basedn = "ou=People,dc=igb,dc=uiuc,dc=edu"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: openlap wireless (WPA-radius with PEAP auth on client) problem

2004-11-04 Thread Alan DeKok
Daniel Davidson <[EMAIL PROTECTED]> wrote:
> Thanks for the info, now we are getting somewhere I just have unchecked
> the "validate server certificate" area for now. Now I am getting a
> rejection.  Any ideas?

  You said you were storing the passwords in LDAP, but the debug log
doesn't show the LDAP module being used:

>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 6
>   modcall[authorize]: module "preprocess" returns ok for request 6
>   modcall[authorize]: module "chap" returns noop for request 6
>   modcall[authorize]: module "mschap" returns noop for request 6
> rlm_realm: No '@' in User-Name = "dbdavids", looking up realm NULL
> rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 6
>   rlm_eap: EAP packet type response id 6 length 90
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 6
> users: Matched DEFAULT at 152
>   modcall[authorize]: module "files" returns ok for request 6
> modcall: group authorize returns updated for request 6

  There's no mention of LDAP, so the server doesn't have the NT password.

>   rlm_mschap: No User-Password configured.  Cannot create LM-Password.
>   rlm_mschap: No User-Password configured.  Cannot create NT-Password.
>   rlm_mschap: Told to do MS-CHAPv2 for dbdavids with NT-Password
>   rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.

  Yup.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: openlap wireless (WPA-radius with PEAP auth on client) problem

2004-11-04 Thread Daniel Davidson
Thanks for the info, now we are getting somewhere I just have unchecked
the "validate server certificate" area for now. Now I am getting a
rejection.  Any ideas?

thanks again for the help,

Dan


rad_recv: Access-Request packet from host 128.174.124.2:1024, id=0,
length=224
User-Name = "dbdavids"
NAS-IP-Address = 128.174.124.2
Called-Station-Id = "000f66e4c41c"
Calling-Station-Id = "009096b43336"
NAS-Identifier = "000f66e4c41c"
NAS-Port = 49
Framed-MTU = 1400
State = 0x05d6753b0d1d6b5e153b275d9693ef57
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0206005a1900170301004f8c8a20407e2068158e8d78c30ec38160e43b0f78ff2b701605b5c79b9de8900c48fb91b49db5bf9dcddd5ccabb4790c6ae46fc07f331bd23bbc88023d68b2e78a4ab7763627926a560ed58927beae5
Message-Authenticator = 0xa25e2734559e8d05f9cb602baa181907
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
  modcall[authorize]: module "preprocess" returns ok for request 6
  modcall[authorize]: module "chap" returns noop for request 6
  modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "dbdavids", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 6
  rlm_eap: EAP packet type response id 6 length 90
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6
users: Matched DEFAULT at 152
  modcall[authorize]: module "files" returns ok for request 6
modcall: group authorize returns updated for request 6
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Got tunneled EAP-Message
EAP-Message =
0x020600431a0206003e3164e5402640d5988f1d47d58297a06a95c2571a9c92f4970284a462469ceac06779f68025392ddf8f006462646176696473
  PEAP: Setting User-Name to dbdavids
  PEAP: Adding old state with c7 00
  PEAP: Sending tunneled request
EAP-Message =
0x020600431a0206003e3164e5402640d5988f1d47d58297a06a95c2571a9c92f4970284a462469ceac06779f68025392ddf8f006462646176696473
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "dbdavids"
State = 0xc7001f0cb231ff08af3c8015aa53f2fd
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
  modcall[authorize]: module "preprocess" returns ok for request 6
  modcall[authorize]: module "chap" returns noop for request 6
  modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "dbdavids", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 6
  rlm_eap: EAP packet type response id 6 length 67
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6
users: Matched DEFAULT at 152
  modcall[authorize]: module "files" returns ok for request 6
modcall: group authorize returns updated for request 6
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 6
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for dbdavids with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 6
modcall: group Auth-Type returns reject for request 6
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 6
modcall: group authenticate returns reject for request 6
auth: Failed to validate the user.
  PEAP: Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\006E=691 R=1"
EAP-Message = 0x04060004
Message-Authenticator = 0x
  PEAP: Processing from tunneled session code 0x552ade3c50 3
MS-CHAP-Error = "\006E=691 R=1"
EAP-Message = 0x04060004
Mes

Re: openlap wireless (WPA-radius with PEAP auth on client) problem

2004-11-04 Thread Michael Griego
Are you sure that you have the CA certificate you're using with
FreeRADIUS installed on the XP system you're using as a supplicant? 
This could be a symptom of XP not recognizing the signer of the
certificate presented in the 802.1x conversation and refusing to
continue authentication.

FYI, here, we're using the ntPassword attribute in LDAP *without* the 0x
in front, and its working fine.  The code will use it either way.

--Mike


On Thu, 2004-11-04 at 10:58, Daniel Davidson wrote:
> It never gives one with this configuration, it just keeps repeating the
> same request over and over again, never accepting or rejecting after the
> Access-Challenge is sent back to the access point.
> 
> Dan
> 
> 
> On Thu, 2004-11-04 at 10:48, Alan DeKok wrote:
> > Daniel Davidson <[EMAIL PROTECTED]> wrote:
> > > while looking at the radiusd.conf file, I noticed that the ldap area
> > > said something about that to use the sambaNTPassword field that it has
> > > to start with a 0x.  Does this mean that in LDAP that this value must be
> > > stored as:
> > > 
> > > sambaNTPassword: 0x01FC5A6BE7BC6929AAD3B435B51404EE
> > 
> >   I don't think that's necessary.  The MS-CHAP module is the only one
> > which interprets that string, and it is forgiving of the format.
> > 
> >   The larger issue is that the debug log you posted doesn't finish.
> > i.e. It doesn't contain a reject OR a success.  Get a debug log with
> > an accept or reject, and it will then be possible to tell what's going
> > on.
> > 
> >   Alan DeKok.
> > 
> > 
> > - 
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- 

--Mike

---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: openlap wireless (WPA-radius with PEAP auth on client) problem

2004-11-04 Thread Daniel Davidson
It never gives one with this configuration, it just keeps repeating the
same request over and over again, never accepting or rejecting after the
Access-Challenge is sent back to the access point.

Dan


On Thu, 2004-11-04 at 10:48, Alan DeKok wrote:
> Daniel Davidson <[EMAIL PROTECTED]> wrote:
> > while looking at the radiusd.conf file, I noticed that the ldap area
> > said something about that to use the sambaNTPassword field that it has
> > to start with a 0x.  Does this mean that in LDAP that this value must be
> > stored as:
> > 
> > sambaNTPassword: 0x01FC5A6BE7BC6929AAD3B435B51404EE
> 
>   I don't think that's necessary.  The MS-CHAP module is the only one
> which interprets that string, and it is forgiving of the format.
> 
>   The larger issue is that the debug log you posted doesn't finish.
> i.e. It doesn't contain a reject OR a success.  Get a debug log with
> an accept or reject, and it will then be possible to tell what's going
> on.
> 
>   Alan DeKok.
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: openlap wireless (WPA-radius with PEAP auth on client) problem

2004-11-04 Thread Alan DeKok
Daniel Davidson <[EMAIL PROTECTED]> wrote:
> while looking at the radiusd.conf file, I noticed that the ldap area
> said something about that to use the sambaNTPassword field that it has
> to start with a 0x.  Does this mean that in LDAP that this value must be
> stored as:
> 
> sambaNTPassword: 0x01FC5A6BE7BC6929AAD3B435B51404EE

  I don't think that's necessary.  The MS-CHAP module is the only one
which interprets that string, and it is forgiving of the format.

  The larger issue is that the debug log you posted doesn't finish.
i.e. It doesn't contain a reject OR a success.  Get a debug log with
an accept or reject, and it will then be possible to tell what's going
on.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: openlap wireless (WPA-radius with PEAP auth on client) problem

2004-11-04 Thread Daniel Davidson
I finally have freeradius to where it looks like Peap is at least trying
to auth properly.  However it looks like for some reason it is not
getting the job done, it just keeps trying to authenticate and never
gets the job done.  My LDAP database has userPassword to the MD5 salt
encrypted verson usually found in the files of my fedora machine,
sambaLMPassword and sambaNTPassword contain the 32 digit long
hexadecimal string needed to auth samba to ldap, an example from a
removed account is below:

sambaNTPassword: 01FC5A6BE7BC6929AAD3B435B51404EE

while looking at the radiusd.conf file, I noticed that the ldap area
said something about that to use the sambaNTPassword field that it has
to start with a 0x.  Does this mean that in LDAP that this value must be
stored as:

sambaNTPassword: 0x01FC5A6BE7BC6929AAD3B435B51404EE

If this is so, how does everyone with this setup still get samba to work
properly with the ldap database and freeraidius?  When I change so that
the account is like this it breaks the ability to log on with samba.

Otherwise, anyone have any ideas on what I am doing wrong?

thanks,

Dan


radiusd.conf changes:
NOTE: no auth needed to get password hashes from ldap (this will change
after I get this working)
ldap {
server = "the.server"
basedn = "ou=People,dc=igb,dc=uiuc,dc=edu"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}

eap.conf changes:
see attached file


radiusd -xxyz -l stdout
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/lib64"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: user = "radiusd"
 main: group = "radiusd"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib64
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded Pam
 pam: pam_auth = "radiusd"
Module: Instantiated pam (pam)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "/etc/shadow"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = "peap"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/etc/raddb/certs/cert-srv.pem"
 tls: cert

Re: openlap wireless (WPA-radius with PEAP auth on client) problem

2004-11-03 Thread Alan DeKok
Daniel Davidson <[EMAIL PROTECTED]> wrote:
> What should default Auth-type be set to then?  Right now I am getting a:
> 
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> 
> error message from the daemon.

  Then you've edited the default "radiusd.conf" so that the server can
no longer figure it out.

  The default "radiusd.conf" is designed specifically so that the
server can figure out most situations, and so that you have to change
as little as possible to get it to work.

  You said the clients were doing EAP, and that you were using an LDAP
database to store user information.  Use the default "radiusd.conf",
and make as few changes as possible to it.  Uncomment "ldap" from a
few places, and configure the "ldap" module.  If you have clear-text
passwords in LDAP, it WILL work.

  The only way you get the above error message when the client is
using EAP is if you deleted "eap" from the "authorize" section.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: openlap wireless (WPA-radius with PEAP auth on client) problem

2004-11-03 Thread Daniel Davidson
What should default Auth-type be set to then?  Right now I am getting a:

auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user

error message from the daemon.

thanks again,

Dan




On Tue, 2004-11-02 at 17:10, Alan DeKok wrote:
> Daniel Davidson <[EMAIL PROTECTED]> wrote:
> > Probably a stupid question, but I assume you mean that in the users file
> > I do not set it to:
> > 
> > DEFAULT Auth-type := LDAP
> > 
> > and in the authenticate {} area of radiusd.conf the ldap areas should be
> > commented out.
> 
>   Yes.
> 
> > Is this correct and what should the proper settings be to get this done?
> 
>   Do what you said.
> 
>   Alan DeKok.
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: openlap wireless (WPA-radius with PEAP auth on client) problem

2004-11-02 Thread Alan DeKok
Daniel Davidson <[EMAIL PROTECTED]> wrote:
> Probably a stupid question, but I assume you mean that in the users file
> I do not set it to:
> 
> DEFAULT Auth-type := LDAP
> 
> and in the authenticate {} area of radiusd.conf the ldap areas should be
> commented out.

  Yes.

> Is this correct and what should the proper settings be to get this done?

  Do what you said.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: openlap wireless (WPA-radius with PEAP auth on client) problem

2004-11-02 Thread Daniel Davidson
Probably a stupid question, but I assume you mean that in the users file
I do not set it to:

DEFAULT Auth-type := LDAP

and in the authenticate {} area of radiusd.conf the ldap areas should be
commented out.

Is this correct and what should the proper settings be to get this done?

thanks,

Dan


On Tue, 2004-11-02 at 11:43, Alan DeKok wrote:
> Daniel Davidson <[EMAIL PROTECTED]> wrote:
> > So is there a way to have users authorize themselves with an LDAP
> > server, and what is the process for doing that?  Use PAM and set the
> > system up to have PAM auth against LDAP?
> 
>   No.  You already have authorization being done via LDAP.
> 
>   What I said was "Don't set Auth-Type LDAP, and it will work".
> 
>   Try that.  Now.
> 
>   Alan DeKok.
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: openlap wireless (WPA-radius with PEAP auth on client) problem

2004-11-02 Thread Alan DeKok
Daniel Davidson <[EMAIL PROTECTED]> wrote:
> So is there a way to have users authorize themselves with an LDAP
> server, and what is the process for doing that?  Use PAM and set the
> system up to have PAM auth against LDAP?

  No.  You already have authorization being done via LDAP.

  What I said was "Don't set Auth-Type LDAP, and it will work".

  Try that.  Now.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: openlap wireless (WPA-radius with PEAP auth on client) problem

2004-11-02 Thread Daniel Davidson
So is there a way to have users authorize themselves with an LDAP
server, and what is the process for doing that?  Use PAM and set the
system up to have PAM auth against LDAP?

Dan


On Tue, 2004-11-02 at 09:40, Alan DeKok wrote:
> Daniel Davidson <[EMAIL PROTECTED]> wrote:
> > I am sure this has been answered many times, but I cannot find it. I
> > keep getting "Login incorrect: [danield/]"
> > errors and I cannot figure out where the problem is I realize there is
> > some stuff I can take out, but I Here is the log.
> ...
> >   rad_check_password:  Found Auth-Type LDAP
> 
>   Why?
> 
> > rlm_ldap: Attribute "User-Password" is required for authentication.
> >   modcall[authenticate]: module "ldap" returns invalid for request 4
> 
>   Exactly.  LDAP doesn't do EAP.  Search the list archives for long
> threads explaining why.
> 
>   Don't set "Auth-Type = LDAP", and it will work.
> 
>   Alan DeKok.
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: openlap wireless (WPA-radius with PEAP auth on client) problem

2004-11-02 Thread Alan DeKok
Daniel Davidson <[EMAIL PROTECTED]> wrote:
> I am sure this has been answered many times, but I cannot find it. I
> keep getting "Login incorrect: [danield/]"
> errors and I cannot figure out where the problem is I realize there is
> some stuff I can take out, but I Here is the log.
...
>   rad_check_password:  Found Auth-Type LDAP

  Why?

> rlm_ldap: Attribute "User-Password" is required for authentication.
>   modcall[authenticate]: module "ldap" returns invalid for request 4

  Exactly.  LDAP doesn't do EAP.  Search the list archives for long
threads explaining why.

  Don't set "Auth-Type = LDAP", and it will work.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html