802.1x, EAP and LDAP

[Alan DeKok]

Mike Richardson wrote:
>>   2) Configure an test LDAP with "radtest" (clear-text password)
>>      for a *different* user
> 
> Doesn't work. Similar sort of error though.

  Then fix that before proceeding with EAP.

>>   Don't do 802.1x and LDAP until you have normal "radtest" working with
>> LDAP.
> 
> AFAICT radtest doesn't do EAP so it didn't seem to be a particularly valid
> test. 

  To be blunt: it's rude to ask questions of experts, and then to tell
them that their answers are invalid.  If you know better, why are you
asking questions on this list?

> The approach required appeared quite different but I'm open to
> suggestions. I've spent a long time trying to get RADIUS/LDAP auth to work
> in any format.

  I've spent over 10 years working with RADIUS, and almost 9 years with
FreeRADIUS.  The "Active Directory with LDAP && TTLS" issue has come up
more times than I can count.  It has been *solved* more times than I can
count, by FOLLOWING INSTRUCTIONS.

> Anyway, the output from a test with 'radtest' and LDAP:
...
> rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section.

  You were told to go fix this.  Do it.  Now

> rad_recv: Access-Request packet from host 130.88.200.85:1025, id=61, length=48
> 	User-Name = "raduser2"
> 	User-Password = "raduser20"
...
> rlm_ldap: looking for check items in directory...

  Nothing.  This isn't surprising for Active Directory.

> auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user

  If you have configured "ldap" in the "authenticate" section, then this
would work.  The LDAP "bind as user" works with AD for PAP requests.

  Hint: look in the configuration files for instances of the word
"ldap".  Read the comments.  Un-comment the sample configurations.

  It's *not* hard.

  1) install FreeRADIUS
  2) configure LDAP (*all* references in radiusd.conf &&
sites-available/default)
  3) validate that radtest works.

  Alan DeKok.