Thanks again Alan, For reference the oriellys LDAP book instructs you to set "Auth-Type := LDAP" so thats where I got the bad reference (perhaps other people to). Now lets see if I understood the tables correctly. PAP is the only method that will support LDAP bind as user ? I should comment out " Auth-Type LDAP { ldap } " And as always some follow up questions: When Using PAP -> LDAP will I still have to map userPassword to User-Password ? Will there be extra configuration required on free radius to make use of pap -> ADS ldap or will it work automatically because ldap is configured in the modules {} section. Wont using PAP mean plain text password from client -> cisco wap -> radius -> ADS server ? On 4/23/07, Alan DeKok <aland@deployingradius.com> wrote:
Jacob Jarick wrote:
My problem is the ldap password retrieved from the windows client is not being sent to the ldap server.
The problem is that you have configured "Auth-Type := LDAP", and then sent the server an 802.1x authentication request. Do NOT set Auth-Type = LDAP. This is repeated all over the place in the configuration files, the documentation, and on this list.
In fact, just delete "ldap" from the "authenticate" section. If you can get PAP working with that setup, then 802.1x && EAP should work, too.
Make sure that FreeRADIUS is retrieving the password from LDAP. If you have FreeRADIUS doing "bind as user" to LDAP, then it is NOT retrieving the password from LDAP.
See: http://deployingradius.com/documents/protocols/
And the two other web pages linked to from that page.
The weird thing is It was working fine friday.
Because you were doing PAP authentication.
I'm half inclined to remove "ldap bind as user" from the server entirely. It confuses too many people, and causes too many problems.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html