How to make EAP-TTLS work with ldap ?
Alan DeKok
aland at deployingradius.com
Thu Sep 25 20:03:26 CEST 2014
anindya.mukherjee at wipro.com wrote:
> I am a new user of Freeradius and my goal is to set up a freeradius
> server for wifi access control, which can look up users from an openldap
> database.
That should be simple enough to do.
> I have set the default eap type as ttls with additional ldap
> configurations, as well as added the radius schema to openldap and have
> created necessary attributes for the user entries. I am using
> eapol_test to test the server and so far have managed to do basic PAP
> authentication and EAP-TTLS(MD5) against local user file. My problem is,
> the inner tunnel eap only works with ldap password hashes when the inner
> eap is set as MSCHAPV2, otherwise MD5 throws the error “rlm_eap_md5:
> Cleartext-Password is required for EAP-MD5 authentication”.
Because you're probably storing passwords in hashed format. That's
incompatible with EAP-MD5.
> So to make
> TTLS-EAP work with ldap, I have to use MSCHAPV2, and to make MSCHAPV2
> work, I have to keep sambaNTPassword attribute in the ldap database. And
> every time an user changes their password, both sambaNTPassword and
> userPassword attributes have to be changed.
That makes no sense. If you have a userPassword attribute, it should
be picked up by FreeRADIUS.
> Is there a way to make inner
> tunnel work with ldap userPassword attribute ? I’m sorry if I sound
> stupid, but I really need to know what I’m doing wrong.
Read raddb/sites-available/inner-tunnel. In newer versions of the
server (NOT 2.1.12), there are instructions for these kinds of tests.
You won't need eapol_test. Just radclient.
Ensure that FreeRADIUS is allowed to read the userPassword entry, too.
Once you get it working for inner-tunnel, TTLS should work without any
changes.
Alan DeKok.
More information about the Freeradius-Users
mailing list