802.1x ->Radius ->Ldap

Fajar A. Nugraha fajar at fajar.net
Fri Jun 18 04:03:41 CEST 2010

On Fri, Jun 18, 2010 at 7:44 AM, Kyle Plimack <kplimack at videoegg.com> wrote:
> I have pap working (i.e.  I ran radtest and got an access-accept).
> I don’t want to configure certs on each of my hosts for each of my clients,
> so I’d like to use PEAP/msChapV2 so that dot1x clients are prompted for and
> username/password.
> According the the deployingradius.com guide, once pap is working, mschapv2
> should “just work”.  It doesn’t.

It should, IF passwords are stored in plain text on your LDAP schema.
If it doesn't (as in the case of AD or Lotus Domino), then you either
need to make some adjustments (like using ntlm_auth with AD) or dump
mschapv2 and use PEAP/GTC with ldap bind as user (like with Lotus

for PEAP part, like John and Alan mentioned, you need to enable LDAP
in innter tunnel as well. "radtest" don't use EAP, so it can't check
for EAP configuration errors.


More information about the Freeradius-Users mailing list