Freeradius 3.0.17 EAP-TLS Authentication with LDAP Authorization

Alan DeKok aland at
Wed Aug 22 00:09:19 CEST 2018

> On Aug 21, 2018, at 3:29 PM, Kevin Virk <Kevin.Virk at> wrote:
> Hello all I have followed previous advice given to me and upgraded my install to FreeRADIUS 3.0.17 . I am trying to achieve a setup where computers are let onto company internet via eap-tls and then are separated into VLANS with ldap after this. Currently I believe I have eap-tls working as my eapol test has been successful. However after adding in the ldap module I am getting a bind error which I know is an LDAP error and not a freeradius one. I was hoping someone here could take a look at my debug info and see if I have overlooked anything.

  The debug message should be clear:

> ...
> (6) ldap: Performing search in "dc=Domain,dc=net" with filter "(samaccountname=client.pem)", scope "sub"
> (6) ldap: Waiting for search result...
> (6) ldap: ERROR: Failed performing search: Operations error with LDAP database.  Please see the LDAP server configuration / documentation for more information.
> (6) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580.

  The LDAP database requires FreeRADIUS to do a bind before a search.  That message should be clear.

  Fix the LDAP database so that it lets FreeRADIUS do searches.

  The LDAP module is configured as:

 ldap {
       server = ""
       identity = "cn=ldap.query,ou=service.accounts,ou=Users,ou=operations,ou=departments,dc=Domain,dc=net"
       password = <<< secret >>>

  That user identity isn't allowed to do LDAP searches.

  So... fix the LDAP database so that user identity can do LDAP searches.

  Alan DeKok.

More information about the Freeradius-Users mailing list