EAP/TTLS on LDAP with freeradius 2.0.1

Vincent Magnin Vincent.Magnin at unil.ch
Wed Feb 6 15:36:48 CET 2008


hi Thierry,

on your /etc/raddb/users file, you can put the follwing to copy the
inner identity to the outer identity (works with freeradius 1 and 2):

DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
         User-Name := `%{User-Name}`,
         Fall-Through = yes



Thierry CHICH <thierry.chich at ac-clermont.fr> a écrit :

> Hello,
>
> I know that my problem is so simple that I should be ashamed to ask help, but
> I have to say that I can't find a good way to do what I want to do.
>
> With the previous release of freeradius 1.1.7, I could do the following
> things:
> - people with a correct outer identity and inner identity (login/password)
> could be authorized and authenticate on a LDAP server, using an EAP-TTLS
> tunnel, obtained a WPA key.
> - with the same radius server, I could authenticate people with EAP-PEAP and
> mschapv2 on a sql database.
>
> It was nice, but I had a small problem: accounting was done  using the outer
> identity. Since I was using the ldap to do the authorization, people who put
> an other valid identity didn't be correctly accounted.
>
> Then,  I decided to use freeradius 2.0.1. And then I don't see how  
> to obtain a
> basic configuration that is doing my first point.
>
> I always finished by :
> rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.
> auth: No authenticate method (Auth-Type) configuration found for the request:
> Rejecting the user
>
> If I put an Auth-Type := LDAP, it seems better in the first time, but it is
> worst:
> rad_check_password:  Found Auth-Type LDAP
> auth: type "LDAP"
> +- entering group LDAP
> rlm_ldap: - authenticate
> rlm_ldap: Attribute "User-Password" is required for authentication.
>   You seem to have set "Auth-Type := LDAP" somewhere.
>   THAT CONFIGURATION IS WRONG.  DELETE IT.
>   YOU ARE PREVENTING THE SERVER FROM WORKING PROPERLY.
> ++[ldap] returns invalid
> auth: Failed to validate the user.
>
> At this point, I don't understand what freeradius want.
> I don't know how to say : authorize on waht you want, I don't care, and
> authenticate on my LDAP server.
>
> Is it a good configuration sample I can find anywhere ?
>
> Regards,
>
> --
> Thierry CHICH
> -
> List info/subscribe/unsubscribe? See  
> http://www.freeradius.org/list/users.html
>



-- 
------------------------------------------------------------------------
Vincent Magnin                                    Vincent.Magnin at unil.ch
Ingénieur Réseau & Télécom                              +41 21 692 22 48
UNIL, Centre Informatique, 1015 Lausanne
Switzerland




More information about the Freeradius-Users mailing list