Re: eap-ttls with ldap
On Mon, Nov 21, 2011 at 12:10 AM, Angelica Delgado wrote: > Yes it is active directory. If it needs to be configured different when > using AD? Since you said "We configured ldap module to connect to our Active Directory as a ldap server. This is currently working", you should be able to get it working by configuring sites-available/inner tunnel to be roughly the same as sites-available/default. How DID you get it working (minus ttls part) in the first place? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls with ldap
Angelica Delgado wrote: > Yes it is active directory. If it needs to be configured different when > using AD? Yes. See my guide http://deployingradius.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls with ldap
Yes it is active directory. If it needs to be configured different when using AD? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls with ldap
Angelica Delgado wrote: > Thanks, you were right. I needed to include eap.conf under radiusd.conf > file. Now, I am getting incorrect login even though ldap credentials > are correct. Can you please let me know what other file needs to be > modified to use ttls with ldap? The error message should be clear. > [ldap] looking for check items in directory... > [ldap] looking for reply items in directory... > WARNING: No "known good" password was found in LDAP. Are you sure that > the user is configured correctly? What part of that is hard to understand? Let me guess... the LDAP server is Active Directory? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls with ldap
hi, as Alan ays..if you installed by package manager, ensure you;ve got all the freeradius packages. if you've been editing files, then check radiusd.conf and ensure you are including eap.conf alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls with ldap
Angelica Delgado wrote: > Following is the whole output of radiusd -X: The only way that the EAP module wasn't found is that you haven't installed the relevant RPMs. Go do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls with ldap
Following is the whole output of radiusd -X:
FreeRADIUS Version 2.1.7, for host i386-redhat-linux-gnu, built on Dec 30
2009 at 13:47:58
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/mschapBck
including configuration file /etc/raddb/modules/ldapBck
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Loading Clients
client 10.10.10.10{
require_message_authenticator = no
secret = "***"
sho
Re: eap-ttls with ldap
Your freeradius server was built with EAP support (openSSL support) ? this was not the whole output of radiusd -X alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls with ldap
Angelica Delgado wrote: > I am getting the following error, when eap is enable on inner-tunnel: > > /etc/raddb/sites-enabled/inner-tunnel[228]: Failed to find module "eap". Well... you don't have the EAP module. Or, you could look at the *rest* of the error messages to see what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls with ldap
I am getting the following error, when eap is enable on inner-tunnel: /etc/raddb/sites-enabled/inner-tunnel[228]: Failed to find module "eap". /etc/raddb/sites-enabled/inner-tunnel[178]: Errors parsing authenticate section. Thanks. Angelica On Wed, Nov 16, 2011 at 12:39 AM, Alan DeKok wrote: > Angelica Delgado wrote: > > We want to configure eap-ttls with freeradius. Currently, we have > > freeradius with ldap authentication. The ldap that we are using is > > Active Directory. We want to know if there is good site that we can > > follow to implement eap ttls with ldap authentication. > > Configure LDAP so that PAP authentication works in the "inner-tunnel". > See raddb/sites-available/inner-tunnel for comments on testing this. > > Configure the certificates for EAP-TLS. > > EAP-TTLS will work. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls with ldap
Angelica Delgado wrote: > We want to configure eap-ttls with freeradius. Currently, we have > freeradius with ldap authentication. The ldap that we are using is > Active Directory. We want to know if there is good site that we can > follow to implement eap ttls with ldap authentication. Configure LDAP so that PAP authentication works in the "inner-tunnel". See raddb/sites-available/inner-tunnel for comments on testing this. Configure the certificates for EAP-TLS. EAP-TTLS will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls with ldap
On Wed, Nov 16, 2011 at 12:57 PM, Angelica Delgado wrote: > We configured ldap module to connect to our Active Directory as a ldap > server. This is currently working. Do we need to change this configuration > in order to start using eap-ttls? err ... no, but unless you use ntlm_auth you would've needed to do ldap bind, which means you can't use MSCHAP. If you can tolerate that than it should be no problem. > We read on the ldap module that it does > not supports eap. If this is true? > Where did you read that? I used eap-peap-gtc with a lotus domino ldap server, and it works just fine. I can NOT use it for eap-peap-mschapv2 though (due to the ldap bind requirement). You CAN use eap-peap-MSCHAPv2 with AD, but only if you also use ntlm_auth (see the links I sent earlier). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls with ldap
We configured ldap module to connect to our Active Directory as a ldap server. This is currently working. Do we need to change this configuration in order to start using eap-ttls? We read on the ldap module that it does not supports eap. If this is true? Thanks. Angela On Tue, Nov 15, 2011 at 11:08 PM, Fajar A. Nugraha wrote: > On Wed, Nov 16, 2011 at 11:37 AM, Angelica Delgado > wrote: > > We want to configure eap-ttls with freeradius. Currently, we have > > freeradius with ldap authentication. The ldap that we are using is > Active > > Directory. We want to know if there is good site that we can follow to > > implement eap ttls with ldap authentication. > > Why eap-ttls? Why not just EAP-PEAP-MSCHAPv2? > > See > http://deployingradius.com/documents/configuration/active_directory.html > (but you've probably done that already you already have AD integration > working), and > http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO > > -- > Fajar > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls with ldap
On Wed, Nov 16, 2011 at 11:37 AM, Angelica Delgado wrote: > We want to configure eap-ttls with freeradius. Currently, we have > freeradius with ldap authentication. The ldap that we are using is Active > Directory. We want to know if there is good site that we can follow to > implement eap ttls with ldap authentication. Why eap-ttls? Why not just EAP-PEAP-MSCHAPv2? See http://deployingradius.com/documents/configuration/active_directory.html (but you've probably done that already you already have AD integration working), and http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-ttls with ldap
We want to configure eap-ttls with freeradius. Currently, we have freeradius with ldap authentication. The ldap that we are using is Active Directory. We want to know if there is good site that we can follow to implement eap ttls with ldap authentication. Thanks. Angela - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS with LDAP and KRB5?
On Wed, Oct 15, 2008 at 07:47:48AM +0200, Alan DeKok wrote: : You will need to put something like this in the "users" file: : :DEFAULTFreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := Kerberos : : :> Before I start pulling my hair out is even possible? : : Yes. IF the inner tunnel session contains a cleartext password. CHAP :won't work, and neither will MS-CHAP. Excellent, thanks also for your pointer to your page about eapol_test both for testing purposes and because the exaple had this critical line the got my client config right: phase2="auth=PAP" So now eapol_test and my linux wpa_supplicant laptop can connect either with LDAP/KRB5 users or users from the users file, that will get me through opening day Monday, and I might even beable to have the weekend off! Many Thanks, -Jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS with LDAP and KRB5?
Jonathan D. Proulx wrote: > using 1.1.7 (forgive me) And we say... upgrade. :) It will make solving this problem easier. > I have EAP-TTLS working from the files module and I have krb5 > athentication working with ldap authorization fro radtest, but when I > try EAP-TTLS as an ldap user I fail to connect, and the sever never > seems to try the krb5 module. You will need to put something like this in the "users" file: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := Kerberos > Before I start pulling my hair out is even possible? Yes. IF the inner tunnel session contains a cleartext password. CHAP won't work, and neither will MS-CHAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS with LDAP and KRB5?
Hi all, using 1.1.7 (forgive me) I have EAP-TTLS working from the files module and I have krb5 athentication working with ldap authorization fro radtest, but when I try EAP-TTLS as an ldap user I fail to connect, and the sever never seems to try the krb5 module. Before I start pulling my hair out is even possible? http://lists.cistron.nl/pipermail/freeradius-users/2006-March/msg00055.html seems to suggest it is but my searches aren't turning up much specifics... Thanks, -Jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS with LDAP authentication?
Konne <[EMAIL PROTECTED]> wrote: > is it possible to do EAP-TTLS with LDAP authentication or what is the > best and secure way? It depends on the authentication method inside of EAP-TTLS. > i have an AP cisco aironet 1242, Debian with Freeradius and a W2k3 > Server with the Active Directory. Ugh. Active Directory isn't really an LDAP server. Your choices for the tunneled authentication method are PAP and MS-CHAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS with LDAP authentication?
hi is it possible to do EAP-TTLS with LDAP authentication or what is the best and secure way? i have an AP cisco aironet 1242, Debian with Freeradius and a W2k3 Server with the Active Directory. what do you suggest? thx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS, EAP-TTLS with LDAP
Tomasz Wolniewicz <[EMAIL PROTECTED]> wrote: > could you be a LITTLE bit more specific about that? Its Christmas :). > How can I tell define conditions which will notice that it is the EAP-TTLS > case and not EAP/TLS? Perhaps there is no way, as at the beginning it is > simply an EAP message, so the server has no way of telling which way to go? The "FreeRADIUS-Proxied-To" attribute is added to the session inside of the tunnel. See debugging mode for examples, it *will* print this out. In the "users" file, you can put: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Autz-Type := ldap and it will call the LDAP module only inside of the tunnel. You will also have to set up an Autz-Type block in the "authorize" section. See doc/Autz-Type. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS, EAP-TTLS with LDAP
Alan, could you be a LITTLE bit more specific about that? Its Christmas :). How can I tell define conditions which will notice that it is the EAP-TTLS case and not EAP/TLS? Perhaps there is no way, as at the beginning it is simply an EAP message, so the server has no way of telling which way to go? Tomasz On Wed, Dec 22, 2004 at 11:14:31AM -0500, Alan DeKok wrote: > Tomasz Wolniewicz <[EMAIL PROTECTED]> wrote: > > Does someone have an idea how to switch off LDAP for processing of the > > outer part of the EAP-TTLS message? > > Put ldap into an Atz-Type block, and configure the server to call > the block only in the conditions you want it to be called. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Tomasz Wolniewicz [EMAIL PROTECTED]http://www.uni.torun.pl/~twoln Uczelniane Centrum Informatyczne Information&Communication Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS, EAP-TTLS with LDAP
Tomasz Wolniewicz <[EMAIL PROTECTED]> wrote: > Does someone have an idea how to switch off LDAP for processing of the > outer part of the EAP-TTLS message? Put ldap into an Atz-Type block, and configure the server to call the block only in the conditions you want it to be called. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS, EAP-TTLS with LDAP
I expect my users to athenticate with either EAP/TLS or EAP-TTLS/PAP. In the first case User-Name is processed twice, first the outer identity, and later the inner one. Actually I have no interest in processing the outer identity as this only serves setting up the correct realm, but the uid has no meaning. It turns out that I search the whole user database and throw away the result, which seems like a big waste of resources. And to make things worse, this goes on with every packet of the conversation. I have figured out a way of dealing with this, by returning from the authorize list whenever eap returns updated, unfortunately this does not work with TTLS in which case the outer identity is THE one that we are interested in. Does someone have an idea how to switch off LDAP for processing of the outer part of the EAP-TTLS message? Tomasz -- Tomasz Wolniewicz [EMAIL PROTECTED]http://www.uni.torun.pl/~twoln Uczelniane Centrum Informatyczne Information&Communication Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using EAP-TTLS with LDAP
On Thu, 26 Aug 2004, Alan DeKok wrote:
> To be a little pickier: LDAP doesn't understand EAP, but FreeRADIUS
> does. So if you use LDAP as a user/password store, and tie that
> password to EAP via FreeRADIUS, it will work. If you try to pass the
> EAP session to an LDAP database, it won't work.
Right. Thanks for the clarification.
> If you configure the LDAP module in "radiusd.conf", and un-comment
> it's entry in the "authorize" section, then any user who has a
> clear-text password in LDAP will be able to do PAP, CHAP, MS-CHAP,
> etc.
I currently have LDAP working for other NAS clients (VPN and network
equipmnet access). Our passwords are stored crypted in LDAP.
> Once you configure tls && ttls, then those users will be able to do
> EAP-TTLS, too. The goal of the server is to make all of these
> authentication/database methods as independent as possible, which
> makes it easier to configure and deploy.
That sounds great -- and I think I'm really close, but I'm not quite
there.
Here's my config files and the output of 'radiusd -X':
users:
DEFAULT�NAS-IP-Address == 138.72.250.12, NAS-Port-Type == Wireless-802.11
Fall-Through = No
DEFAULT�Auth-Type := Reject
Reply-Message = "You do not have permission to this system."
radiusd.conf:
This is pretty much the same as the stock radiusd.conf with the
ldap stuff uncommented in the authorize and authenticate sections.
This also confuses me -- the comments in radiusd.conf say:
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
But I need Auth-Type LDAP for my non-EAP clients using just LDAP.
Anyway, here's the debug output:
rad_recv: Access-Request packet from host 138.72.250.12:1108, id=123, length=139
User-Name = "sotnickd"
NAS-IP-Address = 138.72.250.12
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "port-02"
Called-Station-Id = "00-20-A6-53-19-AF:WPANetTest"
Calling-Station-Id = "00-30-65-0B-9B-B0"
EAP-Message = 0x0283000d01736f746e69636b64
Message-Authenticator = 0xc1528083d9701f023156aca80134d852
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/etc/raddb-test/radacct-test/138.72.250.12/auth-detail-20040826'
rlm_detail:
/usr/local/etc/raddb-test/radacct-test/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /usr/local/etc/raddb-test/radacct-test/138.72.250.12/auth-detail-20040826
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "sotnickd", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 131 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched DEFAULT at 1
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for sotnickd
radius_xlat: '(uid=sotnickd)'
radius_xlat: 'o=example.com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.example.com:389, authentication 0
rlm_ldap: bind as / to ldap.example.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=example.com, with filter (uid=sotnickd)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user sotnickd authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 123 to 138.72.250.12:1108
EAP-Message = 0x018400061520
Message-Authenticator = 0x
State = 0x5a26d1528b7b24612a53713ef28b24b1
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-
Re: Using EAP-TTLS with LDAP
David Sotnick <[EMAIL PROTECTED]> wrote: > I'm trying to get EAP-TTLS working on an Avaya WPA WLAN network, using > LDAP as the user/password database. I'm running FreeRadius version 1.0.0. That shouldn't be a problem. > In an older version of the doc/rlm_eap documentation, it seems to imply > that you can use both EAP and LDAP, but newer documentation states that > because the LDAP module requires the "User-Password" attribute, that when > LDAP is on that EAP won't work. To be a little pickier: LDAP doesn't understand EAP, but FreeRADIUS does. So if you use LDAP as a user/password store, and tie that password to EAP via FreeRADIUS, it will work. If you try to pass the EAP session to an LDAP database, it won't work. > Is it possible to accomplish what I'm trying to do? I want to use TTLS as > the tunnel transport for the EAP stuff, but have FreeRadius send the > client username/password to the back-end LDAP server for authorization and > authentication. Delete the last two words: "... and authentication". Let FreeRADIUS do the authentication work, and let LDAP do the database work. If you configure the LDAP module in "radiusd.conf", and un-comment it's entry in the "authorize" section, then any user who has a clear-text password in LDAP will be able to do PAP, CHAP, MS-CHAP, etc. Once you configure tls && ttls, then those users will be able to do EAP-TTLS, too. The goal of the server is to make all of these authentication/database methods as independent as possible, which makes it easier to configure and deploy. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using EAP-TTLS with LDAP
I'm trying to get EAP-TTLS working on an Avaya WPA WLAN network, using LDAP as the user/password database. I'm running FreeRadius version 1.0.0. In an older version of the doc/rlm_eap documentation, it seems to imply that you can use both EAP and LDAP, but newer documentation states that because the LDAP module requires the "User-Password" attribute, that when LDAP is on that EAP won't work. Is it possible to accomplish what I'm trying to do? I want to use TTLS as the tunnel transport for the EAP stuff, but have FreeRadius send the client username/password to the back-end LDAP server for authorization and authentication. Any help is greatly appreciated! Regards, -- David Sotnick Pixar Animation Studios Emeryville, CA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
