Yet another Freeradius+openldap eap-ttls pap issue
Alan DeKok
aland at deployingradius.com
Thu Nov 28 14:58:40 CET 2013
Work wrote:
> I think I've successfullyconfigured freeradius for the pap
> authentication with openldap since the radtest returns ok.
Read raddb/sites-available/inner-tunnel. It describes how to test the
*inner* portion of EAP. You should test that before going to the full
EAP tests.
> is this ugly? My company does not want to add radiuschema to the users.
It's fine.
> These are the configs:
We don't want the configs. They're not helpful.
> the debug from radius is:
Helpful.
> [ldap] Added User-Password = {MD5}tQzXLan1f4v2iAMD/1t2Ig== in check items
Which seems OK.
> Found Auth-Type = LDAP
> +- entering group LDAP {...}
> [ldap] Attribute "User-Password" is required for authentication.
> You seem to have set "Auth-Type := LDAP" somewhere.
> THAT CONFIGURATION IS WRONG. DELETE IT.
> YOU ARE PREVENTING THE SERVER FROM WORKING PROPERLY.
What part of that message is unclear?
> Thank you :), hope I'm not missing somithing stupid, I've read a lot of
> documentation here and there.
Reading the debug output helps. Don't force "Auth-Type := ldap". The
default configuration does NOT do this. So the only way it happens is
if you changed the configuration to do this.
Delete that, and it will work.
> ps. password on the LDAP are stored in hash form.
Which means you can only use EAP-TTLS / PAP. All other EAP types will
*not* work.
Alan DeKok.
More information about the Freeradius-Users
mailing list