Question about differences between possibilities of authentication

Bas Penris b.penris at
Fri Apr 12 08:41:19 CEST 2013

Hi All,
The last week I've had my first encounter with FreeRADIUS as we were supposed to deploy eduroam. I had a lot of fun doing it although I have dreamt about the config files after a couple of days :)
Everything is working as it should so no worries there, but I'm curious about something. I configured the proxies and the local realm. When I did a radtest like this:
radtest cheese at password 1 secret
I would get an Accept-Accept. The debug output would show that first a bind and then an LDAP search is performed in our eDirectory. Okay! Fun times I thought, let's try it on my mobile phone because a test account I got from an academic institution in the UK worked so local authentication should work as well! I entered the credentials but now comes the difference. Using a Wifi device made the LDAP search fail because it tried to authenticate the user at in stead of stripping the suffix.
I've been staring at the config files to see if I got the LDAP-filter defined two times somewhere but that doesn't seem to be the case. Now, this wasn't a really big problem because users can be pretty stupid and we decided to let them authenticate using their email address in stead of their username at domain which would to too much confusion for them.
The LDAP filter was:
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
Is now:
filter = "(|(cn=%{Stripped-User-Name:-%{User-Name}})(mail=%{User-Name}))"
The proxy.conf lines right before it's defaulted to eduroam:
realm {
Anyone has an idea why radtest would behave differently from an 802.1x login?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list