an infamous LDAP-FreeRadius question

Matt Ashfield mda at
Tue Jul 11 16:10:12 CEST 2006

Thanks for the links. I've seen a few before and have gone over them again
this morning. I'm not sure where I have misconfigured something. 

When I try to connect via 802.1x from a wireless client my Radius server
debgging looks like below. Obviously the TLS session is not being setup
correctly. I'm wondering about the private_key_password attribute. I just
set it to "whatever" but that needs to correspond to a user on the LDAP
server doesn't it? I'm not sure that's been set up. 

Any helpful ideas/comments are greatly appreciated. Thanks!
mda at

rad_recv: Access-Request packet from host x.x.x.201:6001, id=4, length=117
        User-Name = "mda"
        NAS-IP-Address = x.x.x.201
        Called-Station-Id = "00-02-2d-47-01-c4"
        Calling-Station-Id = "00-0e-35-36-48-f2"
        NAS-Identifier = "AP3WJD"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x02040008016d6461
        Message-Authenticator = 0x3453e92189034ccc69804159f1c574e6
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "mda", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: EAP packet type response id 4 length 8
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
    users: Matched DEFAULT at 153
  modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for mda
radius_xlat:  '(uid=mda)'
radius_xlat:  'ou=xxx,dc=xxx,dc=xxx'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldapserver2:389, authentication 0
rlm_ldap: setting TLS CACert File to
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Connect error
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns fail for request 0
modcall: group authorize returns fail for request 0
Finished request 0
Going to the next request

Matt Ashfield
Network Analyst
Integrated Technology Services
University of New Brunswick
(506) 447-3033
mda at 

-----Original Message-----
From: Zoltan Ori [mailto:z.ori at] 
Sent: July 11, 2006 10:44 AM
To: mda at; FreeRadius users mailing list
Subject: Re: an infamous LDAP-FreeRadius question

On Tuesday 11 July 2006 07:24, Matt Ashfield wrote:
> I have LDAP configured and can do a cleartext radius authentication using
> username/passwords (using radtest). What I'd like to do is take the next
> step and do 802.1x authentication for my windows clients and I suppose
> that's where I was hoping to find some cleancut instructions on this as
> I've seen quite a bit of threads concerning this but as mentioned in my
> initial email, they can be tough to follow.

There is no shortage of information available. There are links to HOW TO on main page for 802.1x and EAP

Read the docs on rlm_eap which has LDAP info. That can be found in your 
sources as well as on the wiki.

Also, see this document

Zoltan Ori

More information about the Freeradius-Users mailing list