How to make EAP-TTLS work with ldap ?

Alan DeKok aland at
Thu Sep 25 20:03:26 CEST 2014

anindya.mukherjee at wrote:
> I am a new user of Freeradius and my goal is to set up a freeradius
> server for wifi access control, which can look up users from an openldap
> database.

  That should be simple enough to do.

> I have set the default eap type as ttls with additional ldap
> configurations,  as well as added the radius schema to openldap and have
> created necessary attributes for the user entries.  I am using
> eapol_test to test the server and so far have managed to do basic PAP
> authentication and EAP-TTLS(MD5) against local user file. My problem is,
> the inner tunnel eap only works with ldap password hashes when the inner
> eap is set as MSCHAPV2, otherwise MD5 throws the error “rlm_eap_md5:
> Cleartext-Password is required for EAP-MD5 authentication”.

  Because you're probably storing passwords in hashed format.  That's
incompatible with EAP-MD5.

> So to make
> TTLS-EAP work with ldap, I have to use MSCHAPV2, and to make MSCHAPV2
> work, I have to keep sambaNTPassword attribute in the ldap database. And
> every time an user changes their password, both sambaNTPassword and
> userPassword attributes have to be changed.

  That makes no sense.  If you have a userPassword attribute, it should
be picked up by FreeRADIUS.

> Is there a way to make inner
> tunnel work with ldap userPassword attribute ? I’m sorry if I sound
> stupid, but I really need to know what I’m doing wrong.

  Read raddb/sites-available/inner-tunnel.  In newer versions of the
server (NOT 2.1.12), there are instructions for these kinds of tests.
You won't need eapol_test.  Just radclient.

  Ensure that FreeRADIUS is allowed to read the userPassword entry, too.

  Once you get it working for inner-tunnel, TTLS should work without any

  Alan DeKok.

More information about the Freeradius-Users mailing list