Alan DeKok aland at
Thu May 21 15:07:08 CEST 2015

On May 21, 2015, at 9:01 AM, gabriel_skupien <gabriel_skupien at> wrote:
>> That's probably not necessary.  Just use "auth_type = PAP".  And be sure
>> to list "ldap" in the "authorize" section.
> I tried this and it is not working. It did not even try to bind to LDAP as a user.

  That's the point.

>>>   2) in sites-enabled/default: -authorize section - not touched, -authentication section - uncomment "Auth-Type LDAP { ldap }", And it is working fine! 
>> You're usually better off letting the PAP module do the authentication. 
> I do not understand how could it work without uncomment "Auth-Type LDAP { ldap }" in the authenticate section. How would FR know to do LDAP auth without it?

  It doesn't.

  Perhaps you're missing something important.  LDAP is a *database*.  It's not an authentication server.  FreeRADIUS is an authentication server.

  FreeRADIUS should pull the "known good" password from LDAP.  Because LDAP is a database.  Then, FreeRADIUS should do all of the calculations for the authentication method.  And FreeRADIUS should authenticate the user.

  What happens when you have a cleartext password in LDAP, and FreeRADIUS receives an MS-CHAP request?  With "Auth-Type = LDAP", it fails.  Because LDAP doesn't do MS-CHAP.

  When you use LDAP as a database and FreeRADIUS as an authentication server, it succeeds.  FreeRADIUS pulls the password from LDAP, and does the MS-CHAP calculations.

>> Yes, but the passwords go over the network in the clear.
> No, they do not. Strongswan is the EAP client in that case, IPsec protects communication between the clients and Strongswan server, additionally FR is installed on the same machine so TTLS does not add any value here.

  Anyone who can see traffic inside of the IPSec tunnel can see the EAP-GTC data, and the password.

  You can't just say "we use IPSec", and believe that all of the security problems are address.  You have to *understand* what the systems are doing.

  Alan DeKok.

More information about the Freeradius-Users mailing list