Hi, I'm trying to setup freeradius 2.1.3 as a radius for wifi security. The setup is as follows : - AP is running dd-wrt, Wireless Security set Security Mode=radius - Client (Ubuntu Hardy) is setup using network-manager, connect to the wireless network using settings : Wireless Security=WPA2 Enterprise, EAP Method=PEAP, Key Type=Dynamic WEP, Phase2 Type=GTC - on freeradius the relevant eap.conf section follows #============================================== eap { default_eap_type = peap gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" cache { enable = no max_entries = 255 } } peap { default_eap_type = gtc copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } } #============================================== I have ldap (lda.conf) and pam sections (on radiusd.conf) correctly setup so that I can authenticate (tested with radtest) using system users (with pam) or LDAP user. Obviously EAP is not involved here yet. The comments on eap.conf says # The plain-text response which comes back # is put into a User-Password attribute, # and passed to another module for # authentication. This allows the EAP-GTC # response to be checked against plain-text, # or crypt'd passwords. There's also this comment on LDAP.conf # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. # # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). Now I'm assuming what happens when I use PEAP-GTC with system user is that : - eap calls peap - peap calls gtc - gtc calls PAP - PAP calls pam in which case GTC should receive the password in clear text (which is also visible from radiusd -X autput). Now the question: Can I set GTC to authenticate against LDAP? Using SYSTEM user with auth_type = PAP in gtc section works, tested with wireless client. #============================================== Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/gtc [eap] processing type gtc [gtc] +- entering group PAP {...} [pap] login attempt with password "<My system password here>" [pap] Using CRYPT encryption. [pap] User authenticated successfully ++[pap] returns ok rlm_eap_gtc: Everything is OK. [eap] Freeing handler ++[eap] returns ok Login OK: [<My system user here>] (from client <My client name here> port 0 via TLS tunnel) #============================================== but using LDAP user with auth_type = PAP in gtc section does not work #============================================== Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/gtc [eap] processing type gtc [gtc] +- entering group PAP {...} [pap] login attempt with password "<My LDAP password here>" [pap] No password configured for the user. Cannot do authentication ++[pap] returns fail [eap] Handler failed in EAP/gtc [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [<My LDAP user here>] (from client <My client name here> port 0 via TLS tunnel) #============================================== ... and setting auth_type = LDAP in gtc section (obviously) does not work #============================================== rlm_eap_gtc: Unknown Auth-Type LDAP rlm_eap: Failed to initialize type gtc /etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module "eap". /etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. #============================================== Is there any way I can get this to work? i.e. having eap -> peap -> gtc -> PAP -> LDAP Regards, Fajar