You could use ldap as authentication using EAP-TTLS. 2009/8/5 Alan DeKok <aland@deployingradius.com>:
Mark Saner wrote:
I'm using freeradius 2.0.4 for eap-peap authentication with LDAP as my back end. Everything is working great (thanks to help from this mailing list). However I was wondering if there is a way to get RADIUS to bind to LDAP as the user that is trying to authenticate rather than the LDAP admin account. I recall reading somewhere that it is not recommended to do this but I can't remember where and I am not finding it as I search this morning.
http://deployingradius.com/documents/protocols/compatibility.html
Is it possible to bind to the LDAP database as the user trying to authenticate? If so how? If not or if it isn't desirable what suggestions do you have for a more secure way of binding to the LDAP server?
It's not possible to do "bind as user" for PEAP. This is because there is no password in PEAP that can be used to "bind as user".
You should use LDAP as a *database*, not as an authentication server. Have LDAP supply a password to FreeRADIUS, and FreeRADIUS will authenticate the user.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html