Configuring LDAP lookups for EAP and inner-tunnel

Alan DeKok aland at
Thu Sep 23 20:33:17 CEST 2010

Jeffrey Collyer wrote:
> setup information that I failed to explain properly the first time :
> freeradius 2.1.7 is used to
> authenticate wireless users with eap-tls 

  Well... that would have been nice to say.

> I started with a default configuation and added ldap to it in the
> sites-enabled/default file's authorize section.  And it worked
> authenticating the client, but with many (about a dozen) ldap lookups.

  Because there are about a dozen EAP packet exchanges.

> Then I realized that the 'tls' section of the modules/eap.conf file
> doesn't have a virtual_server directive, but even after putting that in
> the 'tls' section, its still doesn't run an ldap query when I try to
> authenticate.

  Because the "virtual_server" directive doesn't belong in the "tls"

> So my assumption is that the eap module doesn't use the inner tunnel for
> tls.


  The solution is to move the LDAP checks to the "post-auth" stage.

  Alan DeKok.

More information about the Freeradius-Users mailing list