802.1x, EAP and LDAP

Alan DeKok aland at deployingradius.com
Tue Mar 4 14:24:56 CET 2008


Mike Richardson wrote:
> The suggestions made so far have been to uncomment this authenticate entry.
> Once working should I be looking at commenting it out again and getting EAP
> to work without the above bind? 

  No.  If you're using TTLS + PAP, it's fine.  For PEAP, it's impossible...

> Ah, after another google search I've found another Novell article on
> freeradius:
> 
> https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
> 
> which suggests using 'tls_mode=yes' and the port as 636. I've tried it and
> it works - I can authenticate! However this option doesn't appear in the
> radiusd.conf - is it deprecated or just not documented?

  It seems that Novell has updated their documentation without telling
us.  Nice.  See why I say it's not the fault of FreeRADIUS?

> Seems that eDirectory needs an encrypted session before it'll present the
> password in clear text. Makes sense.
> 
> I've also tried it with 'start_tls=yes' and port as 389, this also seems to
> work. Which is the prefered method? Novell suggest the former but as it
> isn't documented...

  If it works, ship it.

  Alan DeKok



More information about the Freeradius-Users mailing list