21 Sep
2006
21 Sep
'06
2:58 p.m.
Thibault Le Meur <Thibault.LeMeur@supelec.fr> wrote:
While usually true, this assumption is a little confusing sometimes. Indeed, when EAP-TTLS uses PAP (not an EAP protocol I know) as its inside authentication protocol, a cleartext password is provided to Freeradius which is then able to use a simple ldap bind exchange to authenticate the user.
But you still can't force "Auth-Type := LDAP", because then the outer TTLS session will fail. I'm inclined to remove the LDAP "bind as user" entirely, or move it to a completely separate "ldap_bind" module. It's a major cause of problems, and it's rarely necessary. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog