Definitive Word on FreeRadius/LDAP/EAP Requirements

Aaron Mahler amahler at sbc.edu
Sat Jun 27 06:39:03 CEST 2009 

On Jun 26, 2009, at 10:50 AM, Arran Cudbard-Bell wrote:

> On 26/6/09 15:37, Ivan Kalik wrote:
>>>>> - Some have said EAP and LDAP can't be combined because LDAP  
>>>>> requires
>>>>> plain text passwords here and EAP doesn't play ball in that manner
>>
>> Ldap "bind as user" authentication can't be used with EAP but that  
>> doesn't
>> mean that you can't use passwords stored on Ldap server.
>
> It can with EAP-TTLS-PAP or anything else that provides a cleartext  
> password.
>



   I'm pleased to report that, earlier this evening, everything fell  
into place. As I'd done a few times before, I removed and reinstalled  
Freeradius and began systematically applying various settings. This  
time around, I hit the right combination - thanks in part, of course -  
to some of the feedback here in the forum.

   My final working scenario consisted mainly of the following elements:

  - Uncommenting of ldap references in the default config files
  - Uncommenting of ldap references in the sites-enabled/inner-tunnel  
(had been focusing mostly on default before now)
  - ldap server configured to be used on port 636 / SSL
  - ldap server binding with an privileged CN - though, as I think  
back, this might be irrelevant now - I'll test that...
  - addition of "Cleartext-password" mapped to "userPassword" in  
ldap.attrmap
  - Test LDAP record (and, after success, ALL LDAP records) set to use  
cleartext password storage

   The first success came testing from my iPhone which was using EAP- 
TTLS.

   My test OS X machine was defaulting to TLS and wanting to provide a  
user cert, but I overrode that locally and confirmed it worked.  
Afterward, I set the eap.conf to default to EAP-TTLS. I remembered  
then, however, that Windows clients don't inherently support this, so  
I moved the default EAP method to PEAP.

   Everything has been working nicely since and I've tested from OS X,  
iPhone and Ubuntu. I'll hit XP and Vista machines with WiFi soon and  
check those, but am not worried at this point.

   My next issue has to do with my SSL cert to avoid clients getting  
warned that it's untrusted (despite using a valid, commercial wildcard  
cert from GoDaddy... but this appears to be related to use of an  
intermediate cert). Since this is a different issue from the one in  
this thread, I'll start a new thread (though I think I know the answer  
based on previous posts).

Thanks to all!
  - Aaron

More information about the Freeradius-Users mailing list