EAP-TTLS-PAP using LDAP for authorization and PAM for authentication

[Erik Karlsson]

Hello!

I am trying to set up a simple Wlan-authentication using EAP-TTLS to 
avoid client certificates and PAM to use the server system 
authentication scheme. PAM doesn't know about users, and the users are 
situated in a LDAP database, which I think makes it logical to use 
rlm_ldap for authorization. I.e. I just want to check that users exist 
in LDAP and then move on to checking the password against PAM.

The problem is that PAM is never used.  This seems to be an artifact of 
the fact that rlm_ldap is supposed to fetch a "known good" password, but 
I don't have passwords in the LDAP database. rlm_ldap is indeed 
successful in authorizing, but there is no Auth-Type set to handle the 
authentication.

If I for example force Auth-Type to PAM in the users file (not good, I 
know), TTLS-negotiation is never run.

If I add
Auth-Type LDAP {
    pam
}
to the authenticate section and let rlm_ldap set Auth-Type, it works 
with radtest, but fails using TTLS:
  pam_pass: function pam_acct_mgmt FAILED for <USERNAME>. Reason: 
Authentication service cannot retrieve authentication info


My configuration  is:

FreeRADIUS 2.0.5

sites-enabled/default:
authorize {
    preprocess
    auth_log
    eap {
        ok = return
    }
    files
    ldap
    pap
}
authenticate {
    Auth-Type PAP {
       pap
    }
    pam
    eap
}


Regards,
Erik Karlsson.