Yet another Freeradius+openldap eap-ttls pap issue

Alan DeKok aland at deployingradius.com
Thu Nov 28 14:58:40 CET 2013


Work wrote:
> I think I've successfullyconfigured freeradius for the pap
> authentication with openldap since the radtest returns ok.

  Read raddb/sites-available/inner-tunnel.  It describes how to test the
*inner* portion of EAP.  You should test that before going to the full
EAP tests.

> is this ugly? My company does not want to add radiuschema to the users.

  It's fine.

> These are the configs:

  We don't want the configs.  They're not helpful.

> the debug from radius is:

  Helpful.

> [ldap] Added User-Password = {MD5}tQzXLan1f4v2iAMD/1t2Ig== in check items

  Which seems OK.

> Found Auth-Type = LDAP
> +- entering group LDAP {...}
>   [ldap] Attribute "User-Password" is required for authentication.
>   You seem to have set "Auth-Type := LDAP" somewhere.
>   THAT CONFIGURATION IS WRONG.  DELETE IT.
>   YOU ARE PREVENTING THE SERVER FROM WORKING PROPERLY.

  What part of that message is unclear?

> Thank you :), hope I'm not missing somithing stupid, I've read a lot of
> documentation here and there.

  Reading the debug output helps.  Don't force "Auth-Type := ldap".  The
default configuration does NOT do this.  So the only way it happens is
if you changed the configuration to do this.

  Delete that, and it will work.

> ps. password on the LDAP are stored in hash form.

  Which means you can only use EAP-TTLS / PAP.  All other EAP types will
  *not* work.

  Alan DeKok.


More information about the Freeradius-Users mailing list