authenticating against local LDAP and Jumpcloud LDAP

Michael Martinez mwtzzz at
Tue Feb 16 02:20:43 CET 2016

I'm new to Freeradius, so I'm looking either for an actual answer on how to
do what I need, or to point me towards the right documentation so I can
learn enough about how Freeradius config files are processed so that I can
figure out the solution on my own.

The situation is this: I've got a Freeradius server that successfully
authenticates Wifi devices with EAP-TTLS with PAP for the inner tunnel. The
system also works for ssh clients with PAM authentication. I set up it
myself following different instructions, half-knowing but not really
knowing what I was doing. But it works.

Recently I set up an LDAP directory in Jumpcloud. Their instructions for
integrating with Freeradius also are for PAP within TTLS, and involve
making one change in the sites-available/inner-tunnel file:

within the authorize{} block, move the following to the bottom of the block
update control {
    Proxy-To-Realm := LOCAL
and insert Auth-Type := `/bin/bash /opt/RadiusCheck/
'%{User-Name}' '%{User-Password}'` immediately after the Proxy-to-Realm

The script is just a simple shell script that makes an LDAP
query to Jumpcloud and returns a success or fail.

Okay, I don't know what "update control" is for. I don't know how the
authorize section works, but I made the changes and tested it out and it
works fine for my Jumpcloud user. But it doesn't work anymore for my local
LDAP users because irying to authenticate all users against jumpcloud.

What I'd like is for the local ldap database to be queried first. And if
that fails, then to check the Jumpcloud directory. Looking through the
inner-tunnel file I see a few references to ldap, but these are all
commented out, so I'm not clear how/where the local ldap database is being


More information about the Freeradius-Users mailing list