Question about EAP-TTLS and LDAP
Alan DeKok
aland at ox.org
Sat Nov 5 01:57:22 CET 2005
Hans Fiedler <hans at hermes.louisville.edu> wrote:
> We're using EAP-TTLS and checking against LDAP for password validation on
> our wireless access points (Cisco). It looks like the radius server is
> sending two requests to the LDAP server for every login. The first is for
> anonymous, which I think is for the EAP-TTLS tunnel, which doesn't match
> any username in LDAP. The second one is for the actual username and
> matches a LDAP username and authenticates OK. Our users are getting logged
> in OK, but the people managing the LDAP servers are complaining about the
> anonymous attempts.
Yeah, that's a result of the default configuration.
> DEFAULT User-Name =~ "[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]"
> Auth-Type := Reject,
The Auth-Type should go on the first line with the User-Name.
Running in debugging mode would tell you this.
The solution to your TTLS problem is simple, if you're only using
TTLS. Update the "authorize" section to call "ldap" conditionally:
authorize {
...
Autz-Type inner-ldap {
ldap
}
}
Then in the "users" file, put the following at the top:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Autz-Type := inner-ldap
Fall-Through = 1
Alan DeKok.
More information about the Freeradius-Users
mailing list