Freeradius 3.0.17 EAP-TLS Authentication with LDAP Authorization

Kevin Virk Kevin.Virk at
Wed Aug 22 17:43:57 CEST 2018

Thank you Alan! That is what I assumed however I was told that this was the LDAP quering account but it must not be because than an a successful bind would occur. Thank you for your time I appreciate it!

From: Freeradius-Users < at> on behalf of freeradius-users-request at  <freeradius-users-request at>
Sent: Wednesday, August 22, 2018 3:00 AM
To: freeradius-users at
Subject: Freeradius-Users Digest, Vol 160, Issue 45
Send Freeradius-Users mailing list submissions to
freeradius-users at

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
freeradius-users-request at

You can reach the person managing the list at
freeradius-users-owner at

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."

Today's Topics:

1. Re: Freeradius 3.0.17 EAP-TLS Authentication with LDAP
Authorization (Alan DeKok)


Message: 1
Date: Tue, 21 Aug 2018 18:09:19 -0400
From: Alan DeKok <aland at>
To: FreeRadius users mailing list
<freeradius-users at>
Subject: Re: Freeradius 3.0.17 EAP-TLS Authentication with LDAP
Message-ID: <FDDB0943-3129-4341-8965-7D98F5AAF5E4 at>
Content-Type: text/plain; charset=us-ascii

> On Aug 21, 2018, at 3:29 PM, Kevin Virk <Kevin.Virk at> wrote:
> Hello all I have followed previous advice given to me and upgraded my install to FreeRADIUS 3.0.17 . I am trying to achieve a setup where computers are let onto company internet via eap-tls and then are separated into VLANS with ldap after this. Currently  I believe I have eap-tls working as my eapol test has been successful. However after adding in the ldap module I am getting a bind error which I know is an LDAP error and not a freeradius one. I was hoping someone here could take a look at my debug info and  see if I have overlooked anything.

The debug message should be clear:

> ...
> (6) ldap: Performing search in "dc=Domain,dc=net" with filter "(samaccountname=client.pem)", scope "sub"
> (6) ldap: Waiting for search result...
> (6) ldap: ERROR: Failed performing search: Operations error with LDAP database. Please see the LDAP server configuration / documentation for more information.
> (6) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580.

The LDAP database requires FreeRADIUS to do a bind before a search. That message should be clear.

Fix the LDAP database so that it lets FreeRADIUS do searches.

The LDAP module is configured as:

ldap {
server = ""
identity = "cn=ldap.query,ou=service.accounts,ou=Users,ou=operations,ou=departments,dc=Domain,dc=net"
password = <<< secret >>>

That user identity isn't allowed to do LDAP searches.

So... fix the LDAP database so that user identity can do LDAP searches.

Alan DeKok.


Subject: Digest Footer

List info/subscribe/unsubscribe? See


End of Freeradius-Users Digest, Vol 160, Issue 45

More information about the Freeradius-Users mailing list