WPA2 Client Authentication using Radius and remote LDAP server

[Alan DeKok]

On Sep 18, 2018, at 10:58 AM, daada muyiwa via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> I have been trying to set up Freeradius to remotely query an LDAP server when it gets authentication requests from a Wireless LAN Controller.

  Is it an actual LDAP server?  Or is it Active Directory?

> I have been able to test that the Freeradius Server can communicate with the LDAP Server by using a Radtest tool (I get the access-accept reply) but when I try to query the remote LDAP server with requests from the Wireless LAN controller I get the following response:
> [ldap] No default NMAS login sequence[ldap] looking for check items in directory...[ldap] looking for reply items in directory ...WARNING: No ''known good'' password was found in LDAP. Are you sure that the user has been configured properly?

  Yes... you should read the debug output to see what else is going on.

> Not sure if its the EAP section of the request that has issues.

  The LDAP server is configured to not return the "known good" password to FreeRADIUS.  And, you've configured FreeRADIUS to use "ldap" for authentication.

  Don't do that.  LDAP is a database.  It doesn't implement EAP.  FreeRADIUS is an authentication server.  It implements EAP.

  Allow FreeRADIUS to read the "known good" password from LDAP, and it will Just Work.

  Alan DeKok.