FreeRADIUS w/ LDAP and EAP-TLS

Andrew Meyer andrewm659 at yahoo.com
Thu Nov 30 17:33:19 CET 2017 

So yesterday after complicating my configuration I decided to completely start over.  I rebuilt the server and got everything work up to the EAP-TLS.  While it is clear that it says no "known good" password found, I was able to auth to LDAP prior to turning on EAP-TLS.  So I suspect there is something else that I am missing.  I am using the certificates that came w/ FreeRADIUS in the /etc/raddb/certs/ folder.  I will be generating my own or applying ones from FreeIPA once I get this working.


I followed this:
http://deployingradius.com/documents/configuration/eap.html
https://wiki.alpinelinux.org/wiki/FreeRadius_EAP-TLS_configuration
Here is the output from debug:
(2)         control:Auth-Type := LDAP
(2)       } # update = noop
(2)     } # if ((ok || updated) && User-Password)  = noop
(2)     [expiration] = noop
(2)     [logintime] = noop
(2) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(2) pap: WARNING: Authentication will fail unless a "known good" password is available
(2)     [pap] = noop
(2)   } # authorize = ok
(2) Found Auth-Type = LDAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2)   Auth-Type LDAP {
rlm_ldap (ldap): Reserved connection (6)
(2) ldap: Login attempt by "andrew.meyer"
(2) ldap: Using user DN from request "uid=andrew.meyer,cn=users,cn=accounts,dc=meyer,dc=local"
(2) ldap: Waiting for bind result...
(2) ldap: Bind successful
(2) ldap: Bind as user "uid=andrew.meyer,cn=users,cn=accounts,dc=meyer,dc=local" was successful
rlm_ldap (ldap): Released connection (6)
(2)     [ldap] = ok
(2)   } # Auth-Type LDAP = ok
(2) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(2)   post-auth {
(2)     update {
(2)       No attributes updated
(2)     } # update = noop
(2)     [exec] = noop
(2)     policy remove_reply_message_if_eap {
(2)       if (&reply:EAP-Message && &reply:Reply-Message) {
(2)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(2)       else {
(2)         [noop] = noop
(2)       } # else = noop
(2)     } # policy remove_reply_message_if_eap = noop
(2)   } # post-auth = noop
(2) Sent Access-Accept Id 16 from 10.150.10.45:1812 to 10.150.1.250:53618 length 0
(2) Finished request
Waking up in 1.0 seconds.
(1) Cleaning up request packet ID 15 with timestamp +68
Waking up in 3.9 seconds.
(2) Cleaning up request packet ID 16 with timestamp +72

Ready to process requests

More information about the Freeradius-Users mailing list