Hi All,
The last week I've had my first encounter with FreeRADIUS as we were supposed to deploy eduroam. I had a lot of fun doing it although I have dreamt about the config files after a couple of days :)
Everything is working as it should so no worries there, but I'm curious about something. I configured the proxies and the local realm. When I did a radtest like this:
I would get an Accept-Accept. The debug output would show that first a bind and then an LDAP search is performed in our eDirectory. Okay! Fun times I thought, let's try it on my mobile phone because a test account I got from an academic institution in the UK worked so local authentication should work as well! I entered the credentials but now comes the difference. Using a Wifi device made the LDAP search fail because it tried to authenticate the
user@domain.nl in stead of stripping the suffix.
I've been staring at the config files to see if I got the LDAP-filter defined two times somewhere but that doesn't seem to be the case. Now, this wasn't a really big problem because users can be pretty stupid and we decided to let them authenticate using their email address in stead of their username@domain which would to too much confusion for them.
The LDAP filter was:
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
Is now:
filter = "(|(cn=%{Stripped-User-Name:-%{User-Name}})(mail=%{User-Name}))"
The proxy.conf lines right before it's defaulted to eduroam:
realm ettyhillesumlyceum.nl {
}
Anyone has an idea why radtest would behave differently from an 802.1x login?
Regards,
Bas