FreeRADIUS 3.0.12 + openLDAP + Apple access point?

Alan DeKok aland at
Wed Dec 6 14:27:15 CET 2017

On Dec 6, 2017, at 8:20 AM, Tobias Balle-Petersen <tobiasbp at> wrote:
> At the dawn of time, I set up a FreeRADIUS 2.x server with an openLDAP
> backend for use with my Apple access points. This has worked for years.

  That's common. I've seen people with installations that are 10+ years old.  If it works... why change it?

> I am now trying to make the same confuguration with FreeRADIUS 3.0.12 in a
> FreeBSD jail. Unfortunately, I can not make it work.

  Follow the guide:

  And test the "inner-tunnel" first.  Read the comments at the start of that file for more details.

> I have pasted the lengthy log of a failed attempt here:
> It looks to me like this is where it goes wrong:
> (18) pap: WARNING: Auth-Type already set.  Not setting to PAP
> (18)       [pap] = noop
> (18)     } # authorize = updated
> (18)   Found Auth-Type = Reject
> (18)   Auth-Type = Reject, rejecting user

  That means the "Auth-Type = Reject" was set somewhere long before that message is printed.  Read the *rest* of the log to look for Reject, or something that might set it.


> (8) files: users: Matched entry DEFAULT at line 63

 As ALWAYS, the default configuration works.  Install it, add a user, configure a cert, and EAP for WiFi *will* work.

 Many people start mashing all kinds of things into the config without testing.  Then, after a few days of editing, it doesn't work.  Since they *never* tested it, it never worked, and they have no idea where it went from "working" to "not working".

  Take a methodical approach to changing the configuration.  And *test* it every time you make a change.  This is all documented in "man radiusd".

  Alan DeKok.

More information about the Freeradius-Users mailing list