Ok, bit by bit I'm learning how freeradius works and making progress. The suggestion to look at the man page for unlang was very helpful, there's a lot of good information in there. Also the suggestion to test the inner tunnel with "radtest" has been useful. I've gotten a working configuration where my local ldap users are authenticated with PAM and jumpcloud users are authenticated with the little script I mentioned earlier. All this through the inner tunnel in EAP/TTLS-PAP. The way I have set this up is in inner-tunnel I have: if ("%{User-Name}" =~ /jumpcloud/i) { update control { Auth-Type := `/bin/bash /opt/RadiusCheck/CheckUser.sh '%{User-Name}' '%{User-Password}'` } update reply { Reply-Message = "Hello jumpcloud ldap user" } } If it doesn't match then it defaults to PAM because I have DEFAULT Auth-Type = PAM in the users file. One question: I know Alan and the docs always say not to set the auth type manually. I would like to know how to configure it so it will automatically recognize and configure the user with PAM. I also at Alan's suggestion added the following lines at the end of proxy.conf: realm "jumpcloud" { auth_pool = my_auth_failover } Ok, moving on. I would like to use ldap instead of PAM. So what I did in the inner-tunnel file was uncomment "ldap" in the authorize section, and uncomment Auth-Type LDAP { ldap } in the authenticate section. Then I modified modules/ldap as follows: server = "<ip address>" identity = "cn=Manager,dc=xxxx" password = xxxxxxx basedn = "ou=People,dc=xxxx" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)" then I uncommented the "DEFAULT Auth-Type = PAM" line in users, so that I'm not explicitly setting the auth-type anywhere. Then I run " radtest test2 testing 127.0.0.1:18120 0 xxxxx" and here's what the log shows. It binds to ldap, looks up the user and grabs the password. But bombs out with an error that the Auth-Type isn't set. What am I doing wrong? Thu Feb 18 11:43:42 2016 : Info: [ldap] expand: %{Stripped-User-Name} -> Thu Feb 18 11:43:42 2016 : Info: [ldap] ... expanding second conditional Thu Feb 18 11:43:42 2016 : Info: [ldap] expand: %{User-Name} -> test2 Thu Feb 18 11:43:42 2016 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test2) Thu Feb 18 11:43:42 2016 : Info: [ldap] expand: ou=People,dc=xxxx -> ou=People,dc=xxxx Thu Feb 18 11:43:42 2016 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Thu Feb 18 11:43:42 2016 : Debug: [ldap] ldap_get_conn: Got Id: 0 Thu Feb 18 11:43:42 2016 : Debug: [ldap] attempting LDAP reconnection Thu Feb 18 11:43:42 2016 : Debug: [ldap] (re)connect to <ip>:389, authentication 0 Thu Feb 18 11:43:42 2016 : Debug: [ldap] bind as cn=Manager,dc=xxxx/xxxxxx to <ip.>:389 Thu Feb 18 11:43:42 2016 : Debug: [ldap] waiting for bind result ... Thu Feb 18 11:43:42 2016 : Debug: [ldap] Bind was successful Thu Feb 18 11:43:42 2016 : Debug: [ldap] performing search in ou=People,dc=xxxx, with filter (uid=test2) Thu Feb 18 11:43:42 2016 : Debug: [ldap] userPassword -> Password-With-Header == "{crypt}v0EA8plSCTsuk" Thu Feb 18 11:43:42 2016 : Debug: [ldap] ldap_release_conn: Release Id: 0 Thu Feb 18 11:43:42 2016 : Info: ++[ldap] returns ok Thu Feb 18 11:43:42 2016 : Info: ++[expiration] returns noop Thu Feb 18 11:43:42 2016 : Info: ++[logintime] returns noop Thu Feb 18 11:43:42 2016 : Info: ++[pap] returns noop Thu Feb 18 11:43:42 2016 : Info: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Thu Feb 18 11:43:42 2016 : Info: Failed to authenticate the user. Thu Feb 18 11:43:42 2016 : Info: } # server inner-tunnel Thu Feb 18 11:43:42 2016 : Info: Using Post-Auth-Type Reject On Tue, Feb 16, 2016 at 12:53 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 16, 2016, at 2:46 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
Why not just configure LDAP directly in FreeRADIUS? The server has done LDAP for oh, 15 years now.
Yes. Most users should be using email addresses for their identifiers. i.e. "user@my.domain.tld". That way you can easily distinguish users from different domain.
Unfortunately jumpcloud doesn't permit an "@" symbol in their usernames. I've submitted a feature request to them to allow this. I've gotten around this meanwhile by creating a username as "user.jumpcloud" On Tue, Feb 16, 2016 at 12:20 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Is wpa_supplicant appropriate for this? I downloaded it, but having compile issues so I haven't been able to try it.
what compilation issues? its usually just the libnl/libnl-devel packages
../src/drivers/driver_nl80211.c:17:31: fatal error: netlink/genl/genl.h: No such file or directory compilation terminated. fixed it with apt-get install libnl1 libnl-dev -- --- Michael Martinez http://www.michael--martinez.com