How to configure non-priveleged LDAP bind in FreeRADIUS 3.0.11

Matthew Newton mcn at
Tue Jul 23 21:19:51 CEST 2019

On Tue, 2019-07-23 at 15:13 -0400, Kev Xlr wrote:
> The backend database is Azure AD DS with LDAPS enabled, and the goal
> is to have EAP-TTLS/PAP for wifi access points. Obviously passwords
> are not in cleartext so users should be authenticated by a simple
> LDAP bind by the rlm_ldap module.

Your client is using PEAP, not TTLS. So there's no inner PAP, and no
plaintext password is available for the LDAP bind.

> (0) eap: Peer sent packet with method EAP Identity (1)

c: EAP identity

> (0) eap: Calling submodule eap_md5 to process data
> (0) eap_md5: Issuing MD5 Challenge

fr: Can you do MD5?

> (1) eap: Peer sent packet with method EAP NAK (3)
> (1) eap: Found mutually acceptable type PEAP (25)

c: Nope... PEAP please.
fr: OK!

Reconfigure the client to do TTLS/PAP, then see where you get from


More information about the Freeradius-Users mailing list