A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Mon Jun 24 21:16:37 CEST 2013


> 	I had it wide open. Someone suggested I add the tcp above.

who suggested that?  standard basic old fashioned RADIUS uses
UDP ports 1812,1813 and 1814 - even older versions pre IANA adjustments
would have used UDP 1645 and 1646

> 	I get that. What I want the RADIUS server to do is query
> the LDAP server, rather than say a database or the
> /etc/freeradius/users file.

right. so first of all, send the radtest packets to the RADIUS server
- or get an access point to do that. the see what is happening and configure
the RADIUS server so that its using LDAP in the authorization/authentication
sections - uncomment 'ldap' and then edit the LDAP module.  the queries
will then go to your LDAP server as configured in the LDAP module.

then note what you CAN and CANT do with an LDAP server - what password
storage mechanisms will work with PEAP being used by a WPA2 Enterprise client

> 	Yes, I get that. I am trying to prove via radtest that
> the radius server can authenticate to the radius server, just as
> the users file can authenticate to the radius server.

the users file doesnt authenticate to the RADIUS server...you're getting
things the wrong way around. the RADIUS server uses the users file
as an oracle to check a username/password.....(and to set return values)

> 	So, I can run radtest only using credentials in
> /etc/freeradius/users?

you can use radtest (or eapol_test from the wpa_supplicant package)
to send an authentication request to the RADIUS server. the server is then 
configured to use whatever user/pass storage you want....there is NOTHING
to force it only to use the users file when using radtest. some people
use ActiveDirectory, some use SQL, some use LDAP, some use some RESTFUL API.
very few use the users file for serious production use ;)


More information about the Freeradius-Users mailing list