Default radiusd.conf and Auth-Type LDAP comment
Alan DeKok
aland at deployingradius.com
Thu Sep 21 20:58:40 CEST 2006
Thibault Le Meur <Thibault.LeMeur at supelec.fr> wrote:
> While usually true, this assumption is a little confusing sometimes.
> Indeed, when EAP-TTLS uses PAP (not an EAP protocol I know) as its
> inside authentication protocol, a cleartext password is provided to
> Freeradius which is then able to use a simple ldap bind exchange to
> authenticate the user.
But you still can't force "Auth-Type := LDAP", because then the
outer TTLS session will fail.
I'm inclined to remove the LDAP "bind as user" entirely, or move it
to a completely separate "ldap_bind" module. It's a major cause of
problems, and it's rarely necessary.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list