EAP/TTLS Auth problem

Alan DeKok aland at deployingradius.com
Mon May 14 17:18:41 CEST 2012

Steve Hopps wrote:
> I'll post the full log. It should be pulling from OpenLDAP. I had to
> censor the log in a few places, including the IP of the system I'm
> using to test, which I changed to

  And please check Phil's comment.  It is *still* showing this:

[pap] Using CRYPT password "*"

  THAT is the problem.  "*" isn't a valid Crypt'd password.  It's there
because it's being read from /etc/passwd by the "unix" module.  The
"unix" module is doing that because your configuration is left over from
  an older version.  This was changed in 2.1.10.  From the ChangeLog:

	* No longer look users up in /etc/passwd in the default
	  This can be reverted by enabling "unix" in the "authorize"

  In addition, the debug output *clearly* shows it's not getting
anything from LDAP:

[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access

  i.e. it found nothing.

  If you want it to read LDAP, then:

a) delete the "unix" module from the "authorize" section

b) don't test with a user who's in /etc/passwd

c) ensure that the user exists in LDAP.

  Alan DeKok.

More information about the Freeradius-Users mailing list