Hello! I've been going in circles - as have many (based on the posts I've read all over the web) - trying to assemble a working combination of Freeradius, Fedora Directory Server (LDAP), and a fleet of wireless access points that seem to want to do EAP. I want anyone with a record in my LDAP server to be able to authenticate via 802.1x from these AP's. The records consist of uid, givenName, sn, mail and userPassword. For starters, I was hoping to just ask a few key questions to try to clear up various contradictory comments I've seen in the zillion things I've read in the last 12 hours: - Is it, in fact, possible to combine 802.1X, EAP, Freeradius and Fedora Directory Server in this manner? - If so (and I'm guessing it is possible), can someone clarify the clear-text vs. encryption issues related to EAP and LDAP? By this, I mean: - Some have said EAP and LDAP can't be combined because LDAP requires plain text passwords here and EAP doesn't play ball in that manner - I've seen conflicting comments on whether the passwords need to be clear-text in my LDAP database or not (or at least how Fedora DS needs to handle its password encryption settings) - Again, if this combination is possible, how far off from a -default- install of the latest Freeradius would the configuration be? It's easy to start making changes to the config and lose your bearings in short order... and, of course, hundreds of lines of debug output scroll by when doing a single 802.1X login attempt. I've repeatedly been able to do radtest checks against LDAP with no problems - but I realize that isn't involving EAP. I just say this to confirm that my LDAP server and Freeradius can talk just fine. I've had no problem with a file-based account with a clear-text password working all the way through the 802.1X process from the AP using EAP. It's when I try to combine the two that things go off the rails. I'll wrap this up with a copy from the debug log of the opening request from an AP in case it helps a bit (IP address xxx'd out in my paste): rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32774, id=6, length=156 User-Name = "ldaptest" NAS-IP-Address = 6.48.0.186 NAS-Port = 0 Called-Station-Id = "00-18-0A-30-00-BA:SBC WiFi" Calling-Station-Id = "00-26-08-62-FD-6E" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0201000d016c64617074657374 Message-Authenticator = 0x51deb89362f5b9e1c391e88d255eeefa This is followed by the first query (authorize) to the LDAP server happening with TLS mode set to 1 (port 636 - should be a valid SSL conversation) and it binding successfully using an administrative DN. rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful The account I'm testing (ldaptest) is, for the time being, stored on the LDAP server with a clear-text password due to my questions above. In the test above, I had added: checkItem Cleartext-Password userPassword to my ldap.attrmap. Without that line, the same login test results in: rlm_ldap: performing search in ou=People,dc=sbc,dc=edu, with filter (uid=ldaptest) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user ldaptest authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok The conversation continues on through the TLS segment, offering the example SSL cert to my connecting device (an iPhone talking to the AP in this test), me approving the offered cert on the iPhone and - a moment later - an error that the login/password are wrong. If I start here - with a fresh Freeradius install, references to LDAP uncommented, and basic LDAP parameters properly configured (server, bind dn, base, etc) - could I get some clear points on how to proceed with the configuration? Thanks! - Aaron