On Jun 10, 2021, at 6:21 AM, P.Thirunavukkarasu <drthiruna@tanuvas.org.in> wrote:
Herewith I am sending the debug output as you mentioned for your reference Kindly guide me.
http://wiki.freeradius.org/radiusd-X Read it, looking for "warning" and / or "error".
(6) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (6) ldap: --> (uid=ldap) (6) ldap: Performing search in "dc=tanuvas,dc=org,dc=in" with filter "(uid=ldap)", scope "sub" (6) ldap: Waiting for search result... (6) ldap: User object found at DN "uid=ldap,ou=Faculty,ou=People,ou=Registrar,ou=Users,dc=tanuvas,dc=org,dc=in" (6) ldap: Processing user attributes (6) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (6) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
That seems to be pretty clear.
(6) eap_gtc: Auth-Type PAP { (6) pap: Login attempt with password (6) pap: No password configured for the user. Cannot do authentication
Exactly. Your database MUST supply a "known good" password to FreeRADIUS. Read mods-available/ldap. It has EXPLICIT instructions for doing tests with "ldapsearch". If running "ldapsearch" doesn't return a password, then many EAP types simply won't work. You MUST configure TTLS + PAP on the client for EAP. You MUST use LDAP authentication in sites-enabled/inner-tunnel. i.e. authorize { ... if (User-Password) { update control { Auth-Type := LDAP } } ... } authenticate { ... ldap ... } Nothing else will work. This is a limitation of Google Secure LDAP. Alan DeKok.