LDAP authorization - Attribute "User-Password" is required for authentication

Alan DeKok aland at deployingradius.com
Mon Jun 16 17:55:03 CEST 2008

Neil Marjoram wrote:
> I am using a Netgear WAG102 Wireless access point to autorise to Radius,
> which in turn uses LDAP. radtest from the command line of the local host
> authenticates no problem, but I understand that it is a possibility that
> the Netgear passes the Mac address of the laptop through to use as a
> password.
> I am unable to understand how to map this in LDAP and keep getting :
>  Attribute "User-Password" is required for authentication

  You have forced "Auth-Type := LDAP" in your configuration.  Don't do
that.  i.e.  You have:

rlm_ldap: Adding radiusAuthType as Auth-Type == LDAP

  DELETE the "radiusAuthType" from your LDAP configuration.  It is NOT
needed, and it's making authentication fail.

  It also looks like you've deleted most of the modules from the
"authorize" section.  Don't do that.  Use the default configuration.
It's there for a purpose: it works.

  It also looks like you haven't configured PEAP or TTLS.  You MUST
configure them for wireless authentication.

> I am using the radiusProfile for each user in LDAP that I allow access
> via wireless.
> I am pretty new to Radius so am I sure I have some config wrong here
> somewhere. I am currently testing on Ubuntu 8.04, and have Freeradius
> 1.1.7.

  I understand why Ubuntu chose to use 1.1.7, but still.... Version
2.0.5 is much, much better.

  My recommendation for a quick fix:

1) Install 2.0.5.  It's much better than 1.1.7.
2) start with default config
3) configure the LDAP module as you have done already (modules section,
un-comment ldap in the "authorize" and "authenticate" sections of
raddb/sites-available/* (use "grep ldap *".
4) do NOT set "radiusAuthType" in your LDAP directory.
5) Test with 'radtest'.  It should work.
6) Test with a wireless client (un-check "validate server certificate)
   It should work.

  2.0.5 makes it trivial to get PEAP and TTLS working.  It's a lot
harder to do that in 1.1.7.

  Alan DeKok.

More information about the Freeradius-Users mailing list