Freeradius 3.0.17 EAP-TLS Authentication with LDAP Authorization
Alan DeKok
aland at deployingradius.com
Wed Aug 22 00:09:19 CEST 2018
> On Aug 21, 2018, at 3:29 PM, Kevin Virk <Kevin.Virk at faithlife.com> wrote:
>
> Hello all I have followed previous advice given to me and upgraded my install to FreeRADIUS 3.0.17 . I am trying to achieve a setup where computers are let onto company internet via eap-tls and then are separated into VLANS with ldap after this. Currently I believe I have eap-tls working as my eapol test has been successful. However after adding in the ldap module I am getting a bind error which I know is an LDAP error and not a freeradius one. I was hoping someone here could take a look at my debug info and see if I have overlooked anything.
The debug message should be clear:
> ...
> (6) ldap: Performing search in "dc=Domain,dc=net" with filter "(samaccountname=client.pem)", scope "sub"
> (6) ldap: Waiting for search result...
> (6) ldap: ERROR: Failed performing search: Operations error with LDAP database. Please see the LDAP server configuration / documentation for more information.
> (6) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580.
The LDAP database requires FreeRADIUS to do a bind before a search. That message should be clear.
Fix the LDAP database so that it lets FreeRADIUS do searches.
The LDAP module is configured as:
ldap {
server = "Domain.net"
identity = "cn=ldap.query,ou=service.accounts,ou=Users,ou=operations,ou=departments,dc=Domain,dc=net"
password = <<< secret >>>
That user identity isn't allowed to do LDAP searches.
So... fix the LDAP database so that user identity can do LDAP searches.
Alan DeKok.
More information about the Freeradius-Users
mailing list