EAP-GTC w/ "PAP-like" LDAP authentication

Ian Pilcher arequipeno at gmail.com
Mon Jan 28 20:52:03 CET 2019

First, apologies for breaking threading.  (I had mail delivery turned
off, and Gmane's feed seems to be broken, so I'm cutting & pasting from
the archive.)

> Alan DeKok aland at deployingradius.com Sun Jan 27 20:17:58 CET 2019
> (a) Make sure PEAP works with certificates.

Done.  I've verified with tcpdump/Wireshark that the correct certificate
is being used.

> (b) configure and enable LDAP.  See mods-available/ldap


> Once the LDAP module is available, the server will automatically use
> it.

It's trying, but failing.

  (0) ldap: WARNING: No "known good" password added. Ensure the admin 
user has permission to read the password attribute

> And, the server will automatically grab passwords from LDAP.  And,
> the server will automatically use those passwords to do EAP-GTC.

It will try, but it will fail, because it doesn't have permission to
read passwords/hashes from LDAP.

I need to configure FreeRADIUS to bind *as the user* to LDAP.  If the
bind succeeds then the authentication succeeds.

> It also helps to describe what you've done, what happened, and why
> you think it's wrong.  Otherwise, we're limited to:
> Q: I tried stuff and it doesn't work.  What do I do? A: Try different
> stuff
> Which isn't helpful to anyone.  Better questions means better
> answers.

Fair enough.  This seems like it would be such a common configuration
that I would have thought that it would be documented somewhere.

Ian Pilcher                                         arequipeno at gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------

More information about the Freeradius-Users mailing list