freeradius 2.05 peap and ldap bind?

Alan DeKok aland at
Wed Jun 11 19:32:33 CEST 2008

Tim Tyler wrote:
> Freeradius experts,
>   We just installed freeradius 2.05 on a Centos 5 system.  We got PEAP
> working rather quickly against our ldap server against LM/NT passwords. 
> We would also like to allow clients using Securew2 supplicants
> configured for TTLS -PAP connections against (crypt and SSHA) passwords
> stored in our ldap database.

  That shouldn't be hard.

>   I presume we need to do an ldap bind? 

  I would suggest not.  LDAP bind is a hack.  LDAP is a *database*.  Use
it as a *database*.

> How do I configure TTLS-pap
> requests to do an ldap bind for authorization/authentication without
> breaking PEAP in 2.05?  which 2.05 config file(s) will handle this
> directly?

  Configure the LDAP module to pull the passwords from LDAP, and add
them into the request.  This is, in fact, in the default config.

> Note:
>   In the old 1.x configs, I used to use the following authorize and
> authentication configs show below to allow secureW2 users configured
> with TTLS-pap to work:

  In 2.0, the virtual servers make your life easier.  A LOT easier.  See
raddb/inner-tunnel, and references to "inner-tunnel" in raddb/eap.conf.

  There's even a sample config for testing the inner tunnel portion
without doing EAP...

  Alan DeKok.

More information about the Freeradius-Users mailing list