How to make EAP-TTLS work with ldap ?

anindya.mukherjee at anindya.mukherjee at
Fri Sep 26 12:47:00 CEST 2014

Thanks for helping me. Like I said, I'm a newbie with freeradius and I've been getting a lot of conflicting advice. I found a compatibility matrix from here "" and my setup is successfully working after I set ttls' default eap type to gtc from md5. 

-----Original Message-----
From: at [ at] On Behalf Of Alan DeKok
Sent: Thursday, September 25, 2014 11:33 PM
To: FreeRadius users mailing list
Subject: Re: How to make EAP-TTLS work with ldap ?

anindya.mukherjee at wrote:
> I am a new user of Freeradius and my goal is to set up a freeradius
> server for wifi access control, which can look up users from an openldap
> database.

  That should be simple enough to do.

> I have set the default eap type as ttls with additional ldap
> configurations,  as well as added the radius schema to openldap and have
> created necessary attributes for the user entries.  I am using
> eapol_test to test the server and so far have managed to do basic PAP
> authentication and EAP-TTLS(MD5) against local user file. My problem is,
> the inner tunnel eap only works with ldap password hashes when the inner
> eap is set as MSCHAPV2, otherwise MD5 throws the error “rlm_eap_md5:
> Cleartext-Password is required for EAP-MD5 authentication”.

  Because you're probably storing passwords in hashed format.  That's
incompatible with EAP-MD5.

> So to make
> TTLS-EAP work with ldap, I have to use MSCHAPV2, and to make MSCHAPV2
> work, I have to keep sambaNTPassword attribute in the ldap database. And
> every time an user changes their password, both sambaNTPassword and
> userPassword attributes have to be changed.

  That makes no sense.  If you have a userPassword attribute, it should
be picked up by FreeRADIUS.

> Is there a way to make inner
> tunnel work with ldap userPassword attribute ? I’m sorry if I sound
> stupid, but I really need to know what I’m doing wrong.

  Read raddb/sites-available/inner-tunnel.  In newer versions of the
server (NOT 2.1.12), there are instructions for these kinds of tests.
You won't need eapol_test.  Just radclient.

  Ensure that FreeRADIUS is allowed to read the userPassword entry, too.

  Once you get it working for inner-tunnel, TTLS should work without any

  Alan DeKok.
List info/subscribe/unsubscribe? See

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

More information about the Freeradius-Users mailing list