EAP-TTLS + LDAP + PAP with encrypted password

wekz fbl.list at gmail.com
Fri Aug 4 14:07:31 CEST 2006

Hi all,

I've been trying to get over this configuration but without any success. I'm
using freeradius-1.1.1.

First I had this working with eap-tls and peap for authentication and ldap
for authorization, it was working quite well. As I have to integrate this
configuration with an ldap that has encrypted passwords I decide to change
authtype to pap over eap-ttls after watching Protocol and Password
Compatibility in Alan's site.

The authorization part of ldap does the following:

A user will be authorized to use remote access if he is in the ldap and
depending on the access policy defined if he belongs to a white or
After being authorized within the authorize section the user find these


user-branch is the users file I use that has entries by the form (and
nothing else ):

             DEFAULT ldap11-Ldap-Group == Local
                      Fall-Through = No

This, as I said, was working right.

Now the only things I've added to radiusd.conf is

modules {
              ( I've commented any other type like chap, mschap, peap,
leap... only the onse listed here are set )

              pap {
                     encryption_scheme = sha1
              eap {
                     default_eap_type = ttls
                     gtc {
                            auth_type = PAP    # I've test without
configuring gtc too and setting default_eap_type in ttls to md5 and
commenting it out
                     tls {
                            my old configuration that works
                     ttls {
                            default_eap_type = gtc
                            copy_request_to_tunnel = yes
                            use_tunneled_reply = yes


authorize {
               ldap stuff

authenticate {
                       Auth-Type PAP {

Then in the logs I can see that ( I don't put them because they are nearly
endless ):

                     The user is authorized and the password is got from the
ldap (rlm_ldap: Adding userPassword as User-Password, value
{sha}rur+4yJuecpmc8vxS/8wAyAMNHM= & op=21)
                           rad_check_password:  Found Auth-Type EAP
                           auth: type "EAP"
                     The eap-ttls tunnel is ok
                     And after matching the group Local in my users-file:

                                 auth: type Local
                                 auth: user supplied User-Password does NOT
match local User-Password
                                 auth: Failed to validate the user.


When I try this with clear-text passwords it works quite well but I don't
know if it is working the way I want or not (with pap), because neither with
encrypted nor with clear-text I can't see in the logs a reference to rlm_pap
or gtc...

I imagine I'm doing something wrong but can't figure out what it is.

I've googled on the internet and in the mailing list but I don't make any
progress with what I've found.

So any comments are welcome

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060804/abc80cdc/attachment.html>

More information about the Freeradius-Users mailing list