Thanks for the links. I've seen a few before and have gone over them again this morning. I'm not sure where I have misconfigured something. When I try to connect via 802.1x from a wireless client my Radius server debgging looks like below. Obviously the TLS session is not being setup correctly. I'm wondering about the private_key_password attribute. I just set it to "whatever" but that needs to correspond to a user on the LDAP server doesn't it? I'm not sure that's been set up. Any helpful ideas/comments are greatly appreciated. Thanks! Matt mda@unb.ca rad_recv: Access-Request packet from host x.x.x.201:6001, id=4, length=117 User-Name = "mda" NAS-IP-Address = x.x.x.201 Called-Station-Id = "00-02-2d-47-01-c4" Calling-Station-Id = "00-0e-35-36-48-f2" NAS-Identifier = "AP3WJD" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02040008016d6461 Message-Authenticator = 0x3453e92189034ccc69804159f1c574e6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "mda", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 4 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched DEFAULT at 153 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for mda radius_xlat: '(uid=mda)' radius_xlat: 'ou=xxx,dc=xxx,dc=xxx' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldapserver2:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/20060206_ldap2_xxx_xxx.crt rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Connect error rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 0 modcall: group authorize returns fail for request 0 Finished request 0 Going to the next request Matt Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 mda@unb.ca -----Original Message----- From: Zoltan Ori [mailto:z.ori@morehead-st.edu] Sent: July 11, 2006 10:44 AM To: mda@unb.ca; FreeRadius users mailing list Subject: Re: an infamous LDAP-FreeRadius question On Tuesday 11 July 2006 07:24, Matt Ashfield wrote:
I have LDAP configured and can do a cleartext radius authentication using username/passwords (using radtest). What I'd like to do is take the next step and do 802.1x authentication for my windows clients and I suppose that's where I was hoping to find some cleancut instructions on this as I've seen quite a bit of threads concerning this but as mentioned in my initial email, they can be tough to follow.
There is no shortage of information available. There are links to HOW TO on www.freeradius.org main page for 802.1x and EAP http://www.freeradiuos.org/doc/EAPTLS.pdf http://www.tldp.org/HOWTO/8021X-HOWTO/ Read the docs on rlm_eap which has LDAP info. That can be found in your sources as well as on the wiki. Also, see this document http://vuksan.com/linux/dot1x/802-1x-LDAP.html Zoltan Ori