Using LDAP with EAP-TLS

Phil Mayers p.mayers at imperial.ac.uk
Mon May 16 15:01:43 CEST 2011


On 16/05/11 13:32, Alexandros Gougousoudis wrote:
> Hi,
>
> I'am trying to make FR 2.1.10 on Squeeze work with my LDAP installation.
> What I want to do is:
>
> A host-based authentification for my workstations. All the names of the
> workstations are in LDAP, the authentification itself should be done
> with EAP-TLS. I would like to have a hint, how to start EAP when the
> LDAP-Query was successfull. The LDAP-Query works I think, FR says:
> [ldap] user scit-beerchen authorized to use remote access, but then it
> tries to make some kind of password authentification (I have no password
> for workstations in LDAP), and is not starting EAP-TLS. The asking host
> "scit-beerchen" is in the WLAN-User Group.
>
> What could I do?
>

The reason it's failing is nothing to do with LDAP. It's because you've 
added a module "ntlm_auth" to the authorize section.

> [ntlm_auth] expand: --username=%{mschap:User-Name} ->
> --username=scit-beerchen
> [ntlm_auth] expand: --password=%{User-Password} -> --password=
> Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
> Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password
> (0xc000006a)
> Exec-Program: returned: 1
> ++[ntlm_auth] returns reject
> Using Post-Auth-Type Reject

You've broken the default configs by adding in modules you don't need 
and don't understand.

Go back to the default configs. Then *just* configure LDAP, and things 
will work.



More information about the Freeradius-Users mailing list