On Jun 26, 2009, at 10:50 AM, Arran Cudbard-Bell wrote:
On 26/6/09 15:37, Ivan Kalik wrote:
- Some have said EAP and LDAP can't be combined because LDAP requires plain text passwords here and EAP doesn't play ball in that manner
Ldap "bind as user" authentication can't be used with EAP but that doesn't mean that you can't use passwords stored on Ldap server.
It can with EAP-TTLS-PAP or anything else that provides a cleartext password.
I'm pleased to report that, earlier this evening, everything fell into place. As I'd done a few times before, I removed and reinstalled Freeradius and began systematically applying various settings. This time around, I hit the right combination - thanks in part, of course - to some of the feedback here in the forum. My final working scenario consisted mainly of the following elements: - Uncommenting of ldap references in the default config files - Uncommenting of ldap references in the sites-enabled/inner-tunnel (had been focusing mostly on default before now) - ldap server configured to be used on port 636 / SSL - ldap server binding with an privileged CN - though, as I think back, this might be irrelevant now - I'll test that... - addition of "Cleartext-password" mapped to "userPassword" in ldap.attrmap - Test LDAP record (and, after success, ALL LDAP records) set to use cleartext password storage The first success came testing from my iPhone which was using EAP- TTLS. My test OS X machine was defaulting to TLS and wanting to provide a user cert, but I overrode that locally and confirmed it worked. Afterward, I set the eap.conf to default to EAP-TTLS. I remembered then, however, that Windows clients don't inherently support this, so I moved the default EAP method to PEAP. Everything has been working nicely since and I've tested from OS X, iPhone and Ubuntu. I'll hit XP and Vista machines with WiFi soon and check those, but am not worried at this point. My next issue has to do with my SSL cert to avoid clients getting warned that it's untrusted (despite using a valid, commercial wildcard cert from GoDaddy... but this appears to be related to use of an intermediate cert). Since this is a different issue from the one in this thread, I'll start a new thread (though I think I know the answer based on previous posts). Thanks to all! - Aaron