Question about EAP-TTLS and LDAP

Alan DeKok aland at ox.org
Sat Nov 5 01:57:22 CET 2005


Hans Fiedler <hans at hermes.louisville.edu> wrote:
> We're using EAP-TTLS and checking against LDAP for password validation on
> our wireless access points (Cisco).  It looks like the radius server is
> sending two requests to the LDAP server for every login.  The first is for
> anonymous, which I think is for the EAP-TTLS tunnel, which doesn't match
> any username in LDAP.  The second one is for the actual username and
> matches a LDAP username and authenticates OK.  Our users are getting logged
> in OK, but the people managing the LDAP servers are complaining about the
> anonymous attempts.

  Yeah, that's a result of the default configuration.

> DEFAULT User-Name =~ "[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]"
> 	Auth-Type := Reject,

  The Auth-Type should go on the first line with the User-Name.
Running in debugging mode would tell you this.

  The solution to your TTLS problem is simple, if you're only using
TTLS.  Update the "authorize" section to call "ldap" conditionally:

authorize {
	  ...
	  Autz-Type inner-ldap {
		ldap
	  }
}


  Then in the "users" file, put the following at the top:

DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Autz-Type := inner-ldap
	Fall-Through = 1

  Alan DeKok.



More information about the Freeradius-Users mailing list