Hans Fiedler <hans@hermes.louisville.edu> wrote:
We're using EAP-TTLS and checking against LDAP for password validation on our wireless access points (Cisco). It looks like the radius server is sending two requests to the LDAP server for every login. The first is for anonymous, which I think is for the EAP-TTLS tunnel, which doesn't match any username in LDAP. The second one is for the actual username and matches a LDAP username and authenticates OK. Our users are getting logged in OK, but the people managing the LDAP servers are complaining about the anonymous attempts.
Yeah, that's a result of the default configuration.
DEFAULT User-Name =~ "[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]" Auth-Type := Reject,
The Auth-Type should go on the first line with the User-Name. Running in debugging mode would tell you this. The solution to your TTLS problem is simple, if you're only using TTLS. Update the "authorize" section to call "ldap" conditionally: authorize { ... Autz-Type inner-ldap { ldap } } Then in the "users" file, put the following at the top: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Autz-Type := inner-ldap Fall-Through = 1 Alan DeKok.