FreeRADIUS using OpenLDAP Security

Arran Cudbard-Bell a.cudbardb at
Fri Jul 18 19:40:32 CEST 2014

On 18 Jul 2014, at 12:00, John McCarthy <midactsmystery at> wrote:

> Hey Guys,
> I am running FreeRADIUS 3.0.3, OpenLDAP version 2.4.39. Both my openldap and freeradius servers are using start_tls. I have configured the freeradius server to use ldap and have verified that everything is working using `radiusd -XXX` and then `radtest username password localhost 18120 testing123`.
> So here is my setup. I have a Ubiquiti Unifi Access Point that I am using WPA-Enterprise on. I have the Unifi AP pointing to the FreeRADIUS server and using the correct secret. And on my FreeRADIUS server, I have the Unifi AP setup as a client with the same secret.
> When I connect to my Unifi AP from a wireless device, I select EAP-TTLS and PAP.
> So here is my question: is this setup the norm? Is this secure enough? would you use a setup like this in a production environment,
> I just want to make sure im not forgetting some loophole or something. I am also wanting to make sure traffic from the Freeradius server to the LDAP server cannot be "sniffed"

No it can't be sniffer if it's using Start TLS.

> and traffic from the freeradius server to the unifi AP cant be "sniffed".

It can be, but they won't be able to harvest any credentials. You might leak VLAN numbers, IP addresses and User-Names but that's about the worst of it.

Until more vendors support RADSEC there's nothing more you can do.


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list