Wireless WPA2 enterprise Radius authentication

Phil Mayers p.mayers at imperial.ac.uk
Tue Oct 26 10:33:07 CEST 2010


On 10/26/2010 03:59 AM, midnightsteel wrote:
>
> Has anyone gotten Freeradius 2.x and LDAP (OpenLDAP, FDS, etc...) to properly
> authenticate users?
>
> I get the following in my radius log
>
> Auth: Login incorrect: [wii/<via Auth-Type = EAP>] (from client access port
> 0 via TLS tunnel)
> Auth: Login incorrect: [wii/<via Auth-Type = EAP>] (from client access port
> 14 cli 78e400881f19)
>
>
> This is driving me crazy. I can authenticate users from the radius serve to
> ldap but not from the access point to radius to ldap
>
> If anyone has gotten it to work please post the example config files that
> you used. Im open to answer any questions that you may have about my
> configs.
>
> Access point using WPA2-Enterprise>>  Freeradius 2.x>>  389-DS(Fedora LDAP)
>

Yes, people have used LDAP to authenticate 802.1x.

Run the server in debug mode (I should get a keyboard macro to type 
this) and look at the output:

radiusd -X | tee logfile

...as you make an authentication attempt. Chances are if you read that 
debug output (as suggested in the README) you'll see the problem. If not 
post the full debug output here.

In brief:

  1. Your ldap server needs to contain the password hash(es) appropriate 
for your method of authentication(s) - or better yet the plaintext - and 
the freeradius binddn must be able to see them

  2. The attribute names should match ldap.attrmap, or you should update is

You said "FreeRadius 2.x". That's a bit vague. What is the actual version?



More information about the Freeradius-Users mailing list