Question about differences between possibilities of authentication

Alan DeKok aland at
Fri Apr 12 15:52:01 CEST 2013

Bas Penris wrote:
> Everything is working as it should so no worries there, but I'm curious
> about something. I configured the proxies and the local realm. When I
> did a radtest like this:
> radtest cheese at password 1 secret
> I would get an Accept-Accept.

  That's the easy part.

> The debug output would show that first a
> bind and then an LDAP search is performed in our eDirectory. Okay! Fun
> times I thought, let's try it on my mobile phone because a test account
> I got from an academic institution in the UK worked so local
> authentication should work as well! I entered the credentials but now
> comes the difference. Using a Wifi device made the LDAP search fail
> because it tried to authenticate the user at
> in stead of stripping the suffix.

  Don't test from a mobile device until you've done complete EAP testing
yourself.  You'll get a LOT more useful information.

  See my web page:

> I've been staring at the config files to see if I got the LDAP-filter
> defined two times somewhere but that doesn't seem to be the case. Now,
> this wasn't a really big problem because users can be pretty stupid and
> we decided to let them authenticate using their email address in stead
> of their username at domain which would to too much confusion for them.

  It's usually best to use the full email address.  It simplifies a lot
of issues.

> The LDAP filter was:
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> Is now:
> filter = "(|(cn=%{Stripped-User-Name:-%{User-Name}})(mail=%{User-Name}))"
> The proxy.conf lines right before it's defaulted to eduroam:
> realm {
> }

  So.. you're posting tiny pieces of the config.  But not the debug
output as suggested in the FAQ, README, "man" page, web pages, and daily
on this list?

> Anyone has an idea why radtest would behave differently from an 802.1x
> login?

  Because it's doing different searches.  See the debug output for more
information.  It's all in there.  Really.  That's why we tell people to
read it, and to post it here.

  Alan DeKok.

More information about the Freeradius-Users mailing list