FreeRADIUS w/ LDAP and EAP-TLS

Enno Gröper groepeen at cms.hu-berlin.de
Fri Dec 15 14:39:44 CET 2017 

Hi,

Am 30.11.2017 um 17:33 schrieb Andrew Meyer via Freeradius-Users:
> So yesterday after complicating my configuration I decided to
> completely start over.  I rebuilt the server and got everything work
> up to the EAP-TLS.  

Do you really mean EAP-TLS? EAP-TLS means using client certificates to 
authenticate the users and not any inner tunnel.

In contrast on EAP-TTLS  your are establishing a TLS secured connection 
and then authenticate the user in an inner tunnel (using PAP, LDAP, ...).

> https://wiki.alpinelinux.org/wiki/FreeRadius_EAP-TLS_configuration 

This doesn't use LDAP auth. LDAP auth would be in the "inner tunnel".
EAP-TLS doesn't need/have an inner tunnel.

> Auth-Type LDAP { rlm_ldap (ldap): Reserved connection (6) (2) ldap:
> Login attempt by "andrew.meyer" (2) ldap: Using user DN from request
> "uid=andrew.meyer,cn=users,cn=accounts,dc=meyer,dc=local" (2) ldap:
> Waiting for bind result... (2) ldap: Bind successful (2) ldap: Bind
> as user "uid=andrew.meyer,cn=users,cn=accounts,dc=meyer,dc=local" was
> successful rlm_ldap (ldap): Released connection (6) (2)     [ldap] =
> ok (2)   } # Auth-Type LDAP = ok (2) # Executing section post-auth
> from file /etc/raddb/sites-enabled/default (2)   post-auth { (2)
> update { (2)       No attributes updated (2)     } # update = noop 
> (2)     [exec] = noop (2)     policy remove_reply_message_if_eap { 
> (2)       if (&reply:EAP-Message && &reply:Reply-Message) { (2)
> if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE (2)
> else { (2)         [noop] = noop (2)       } # else = noop (2)     }
> # policy remove_reply_message_if_eap = noop (2)   } # post-auth =
> noop (2) Sent Access-Accept Id 16 from 10.150.10.45:1812 to

This looks like LDAP auth is working fine, an Access-Accept is sent.
What does this have to do with EAP-TLS?
And since Access-Accept is sent: What is the problem here?


Kind regards,
Enno

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5046 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20171215/79cab8e8/attachment.bin>

More information about the Freeradius-Users mailing list