Authentication using LDAP for 802.1x

Olivier Beytrison olivier at
Wed Jun 19 14:49:21 CEST 2013

On 19.06.2013 14:11, Marco Streich wrote:
> Hi all
> We have deployed FreeRADIUS on OS X before, but our configuration was rather ugly. What we would do is authenticate users locally, having the machine attached to our OpenDirectory server directly using the Connect Network Account Server functionality provided by OS X.
> I have seen this question getting asked a lot but still wasn't able to fill my gap in understanding the whole process. 

I will make it short and easy.

You can't do LDAP authentication with 802.1x. EAP needs the password of
the user in cleartext. if it's not in your ldap, you're screwed.

And the debug log explains it :
> WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
> [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.


> At this moment, I cannot wrap my mind around what is going on here.
> I understand that ldap tries to authenticate the user by itself, instead of handing it to the LDAP server. But what is different when I run radtest?
> Debug from radtest:
> ...
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group LDAP {...}
> [ldap] login attempt by "a4" with password "whatever"
> [ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu
>   [ldap] (re)connect to, authentication 1
>   [ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to
>   [ldap] waiting for bind result ...
>   [ldap] Bind was successful
> [ldap] user a4 authenticated successfully
> ++[ldap] returns ok
> ...

This works because you're doing PAP. with radtest the user password is
sent in cleartext. so YES you can authenticate with ldap because you can
BIND to the ldap with the provided password.

you don't have this password with 802.1x/EAP. you work only with
challenges, hash and keys.



 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mail: olivier at

More information about the Freeradius-Users mailing list