Authorize/authenticate with LDAP

Thierry CHICH thierry.chich at ac-clermont.fr
Wed Jan 16 11:44:56 CET 2008


Hello,

I have a small problem a little bit annoying, and it seems to me that a lot of 
people using LDAP don't know that they have the same problem.

I explain :

I have an access-point, and I want use EAP/TTLS in order to authenticate 
people on my LDAP server. The first time, I had then something like that:

authorize {
        preprocess
        suffix
        eap
        files
        Autz-Type LDAP {
     		ldap
        }
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        Auth-Type LDAP {
                ldap
        }
        eap
}

It is working. I am not sure it is the minimal configuration, but I don't care 
too much. My problem is the following:
in my intel proset, if I am giving a false identity in my roaming profile with 
a good identity and a good password, it is working. The authorization step 
doesn't work as I want. The most important problem is that the accounting is 
using my roaming profile.

I can partially solve the problem using :
Autz-Type LDAP {
                ldap{
                    notfound = reject
                }
        }

Then, the roaming profile must be a valid LDAP name. But I still can use an 
arbitrary valid LDAP name.

In fact, the most important thing to me is that the accounting, and session 
logger use the good name.

Is it a solution to my problem ?

Thx,
-- 
Thierry CHICH
Equipe Réseaux / Rectorat de Clermont-Ferrand
Tel: +33 4 73 99 30 54



More information about the Freeradius-Users mailing list